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Abstract 

Process algebra and temporal logic are two popular paradigms for the spec- 
ification, verification and systematic development of reactive and concurrent 
systems. These two approaches take different standpoint for looking at specifi- 
cations and verifications, and offer complementary advantages. In order to mix 
algebraic and logic styles of specification in a uniform framework, the notion of 
a logic labelled transition system (LLTS) has been presented and explored by 
Liittgen and Vogler. This paper intends to propose a LLTS-oriented process 
calculus which, in addition to usual process-algebraic operators, involves logic 
connectives {conjunction and disjunction) and standard temporal operators 
{always and unless). This calculus preserves usual properties of these logic 
operators, allows one to freely mix operational and logic operators, and sup- 
ports compositional reasoning. Moreover, the links between this calculus and 
Action-based Computation Tree Logic (ACTL) including characteristic for- 
mulae of process terms, characteristic processes of ACTL formulae and Galois 
connection are explored. 

Key Words Process Calculus Action-based Computation Tree Logic 
Ready Simulation Logic Labelled Transition System Galois Connection 

1 Introduction 

1.1 Two popular paradigms in formal method 

The dominant approaches for the specification, verification and systematic develop- 
ment of reactive and concurrent systems are based on either states or actions. For 
state-based approaches, an execution of a system is vievifed as a sequence of states, 
while another approach regards an execution as a sequence of actions. 

State-based approaches devote themselves to specifying and verifying abstract 
properties of systems, which often involve formalisms in logic style. Since the sem- 
inal work of Pnueli [53] , logics have been adopted to serve as useful tools for spec- 
ifying and verifying of reactive and concurrent systems. In such framework, a 
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specification is expressed by a set of formulae in some logic system and verification 

is a deductive or model-checking activity. 

Action-based approaches put attention to behavior of systems, which have tended 
to use formalisms in algebraic style. These formalisms are referred to as process 
algebra or process calculus [45, 36, 35, 10]. In such paradigm, a specification and its 
implementation usually are formulated by the same notations, which are terms (ex- 
pressions) of a formal language built from a number of operators, and the underlying 
semantics are often assigned operationally. Intuitively, a specification describes the 
desired high-level behavior, and an implementation provides lower-level details in- 
dicating how this behavior is to be achieved. The verification amounts to compare 
terms, which is often referred to as implementation verification or equivalence 
checking [2]. The comparison of a specification to an implementation is based on 
behavioral relations. Such relations depend on particular observation criterions, 
and are typically equivalences (or preorders) , which capture a notion of "having the 
same observation" (respectively, "refinement" ) . At the present time, due to lack of 
consensus on what constitutes an appropriate notion of observable behavior, a vari- 
ety of observation criterions and behavioral relations have been proposed [25] . The 
correctness of an implementation may be verified in a proof-theory oriented man- 
ner or in a semantics oriented manner. The former is rooted in an axiomatization 
of the behavioral relation, while the later appeals to coinduction technology which 
is considered as one of the most important contributions of concurrency theory to 
computer science [55]. 

Since logic and algebraic frameworks take different standpoint for looking at 
specifications and verifications, they offer complementary advantages: 

On the logic side, there exist a number of logic systems, e.g.. Linear temporal 
logic [53]. Computation tree logic [17], /i— calculus [38] and so on, in which the most 
common reasonable property of concurrent systems, such as invariance (safety), 
liveness, etc., can be formulated without referring operational details (see, e.g., [16, 
57]). Moreover, one of inherent advantage of logic approach is that it is ability to 
deal with partial specifications: one can establish that a given system realizes a 
particular property without involving its full specification. On the other hand, the 
inclusion of classes of models is a natural refinement preorder on logic specifications, 
hence refining a logic specification amounts to enrich original one by adding new 
formulas consistently. However, logic approach has been criticized for being global, 
non-modular and non-compositional. In other words, we often arc required to con- 
sider a given system as a whole whenever formulating and verifying a logic property. 
For instance, it always lacks a natural way to combine temporal properties, which 
are required separately for subsystem Pi and P2, into a temporal specification for 
Pi 11 P2. Such deficiency has been indicated by Pnueli in [53] where temporal logic 
is described as being endogenous, that is, asstuning the complete program as fixed 
context. Summarizing, a variety of logics may serve as powerful tools for express- 
ing and verifying a wide spectrum of properties of concurrent systems, but, due to 
their global perspective and abstract nature, it is difficult for them to describe the 
link between the structure of implementation and that of specification, and hence 
logic approaches often give little support for systematic development of concurrent 
systems. 

On the algebraic side, since systems are represented by terms in some algebras, 
complex systems may be built up from existent systems using algebraic operators. 
Moreover, the observable behavior of the complex system does not change if an sub- 
system is replaced by one with the same behavior, which is granted by the fact that 
behavioral relations considered in process algebras are often required to be compat- 
ible with process operators, in other words, these relations are (pre) congruence over 
terms. These features cause the main advantage of algebraic paradigm, that is, it 
always supports compositional constructing and reasoning. Such compositionality 
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brings us advantages in developing systems, such as, supporting modular design 
and verification, avoiding verifying the whole system from scratch when its parts 
are modified, allowing reusability of proofs and so on [5] . Thus algebraic approaches 
offer significant support for rigorous systematic development of reactive and con- 
current systems. However, since algebraic approaches specify a system by means 
of prescribing in detail how the system should behave, it is often difficult for them 
to describe abstract properties of systems, which is a major disadvantage of such 
approaches. 

1.2 Connections between process algebras and logics 

It is natural to wonder what the connection between the algebraic approach and 
logic approach is. Based on structural operational semantics (SOS) in Plotkin-style, 
terms in process algebras can be "transformed" into labelled transition systems. 
The latter may be viewed as models (in the model-theoretic sense) for suitable 
logic language. Hence this induces the satisfiability relation |= between process 
terms and formulas. Given such satisfiability relation, three connections between a 
process algebra and a logic deserve special mention, which are considered by Pnueli 
in [54] and recalled in the following. Let P be a process algebra equipped with a 
behavioral relation ixi, and L a logic language associated with a satisfiability relation 

• Adequacy of (L, |=) w.r.t (P, txi) 

The logic L is said to be adequate w.r.t (P, ixi) if for any process p and q, 
either 

p [XI q iS \fa gL(p \= a <^ q \= a ) (if Dx] is an equivalence) 

or 

p 1x3 q iS Va GL((7 |= a => p |= a ) (if M is a preorder) 

This notion is considered by Hennesy and Milner in [34] , where they prove that 
Hennesy-Milner logic (HML) is adequate w.r.t bisimilarity for image finite CCS 
terms. It is one of key evens that make Milner think that CCS is definitely inter- 
esting enougl|3. Following their work, the literature on concurrency theory offers a 
wealth of modal characterizations for various behavioral relations. A good overview 
on this subject may be found in [9]. In the realm of modal logic, more generalized 
results concerning Hennesy-Milner property (class) have been established [8, 11, 
27, 28, 37]. Recently, such issue is also considered in depth in the framework of 
coalgebrao (see, e.g., [47, 51]). 

As pointed out by Pnueli in [54] , the requirement of adequacy is the weakest one 
of compatibility between a process algebra and a logic. A symptom of its weakness is 
that the same logic may be adequate for some process languages with very different 
expressivity [54]. For instance, HML is adequate w.r.t bisimilarity for both CCS 
and the fragment of CCS consisting of recursion- free terms. Moreover, the Hennesy- 
Milner characterization is less useful if one intend to check the equivalence of process 
terms using model checking [2]. 

Stronger associations between processes algebras and logic systems involve trans- 
lating between them: characterizing a given process in terms of logic formulae, and 
graphical representing a given logic formula by means of process terms. Next we 
recall them in turns. 

^See: http: / / www.sussex.ac.uk/Users / mfb21/interviews / milner/' 

^In this realm, a coalgebraic modal logic for F— coalgebras is said to be adequate if behavioral 
equivalence implies logical equivalence, and it is said to be expressive if the converse holds. 
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• Expressivity of (L, \=) w.r.t (P, ixi) 

A stronger compatibility requirement involves expressivity. The logic L is said 
to be expressivity w.r.t (P, \xi) if for any process p in P, there exists a formula L{p) 

€ L such that 

(El) q ^ L{p) iff 5 CXI p for any process q in P, and 

(E2) p \=: If iS \= L{p) — > If for any formula ip in L. 

Clearly, if such formula for a process can be algorithmically constructed, im- 
plementation verification can be reduced to model checking according to (El), and 
the verification of an assertion p \= can be transformed into the validity problem 
within L by (E2). Graf and Sifakis were probably the first to develop logics which 
are expressive for process algebras. In [29], they present Synchronization Tree Logic 
(STL, for short) for a process algebra with a congruence relation ?». STL contains 
process terms as formulae, and its semantic is defined so that both (El) and (E2) 
hold with the function L = Xx.x. 

Given a process p, a formula (f>p is said to be a characteristic formula of p if 
it satisfies (El). Such notion also provides a very elegant link between process al- 
gebra and logic, and between implementation verification and model checking [2]. 
Graf and Sifakis provide a method of constructing characteristic formula modulo 
observational congruence for any recursion-free CCS term [30]. Hitherto, over dif- 
ferent structures, e.g., finite LTS, Kripke structures, time automata and so on, a 
number of examples of characteristic-formula constructions for various behavioral 
relations have been reported in the literature [4, 15, 20, 23, 39, 40, 46, 56, 59]. 
The underlying structures of these constructions are identical, that is, characteris- 
tic formulae often arc defined as fixed points of some functions. Recently, ground 
on this phenomenon, L.Aceto et al. offer a general framework for the constructions 
of characteristic formulae [2, 3]. 

• Expressivity of (P, ixi) w.r.t (L, ]=) 

Another stronger association between process algebras and logics involves an 
inverse translation, which associates with each formula e L a set P{(p) that 
consists of all the processes satisfying Lp. A process language is said to be expressive 
for L if such translation is given in a syntactic manner. In order to obtain such 
expressivity, additional operators that construct process sets are often needed. 

In a classic paper [14], Boudol and Larson offer a process language O and a 
translation (^(.) in a syntactic manner, and show that any HML formula <p is rep- 
resentable by a finite set ({(p) of terms in 6. In particular, ({(f)) can be reduced to 
a singleton, say {<^*}, if and only if the given formula (p is consistent and prime. 
Moreover, such term (j)* satisfies the property below 

t \= (f> <^ (j)* Q t for any term t in O. 

Here C is a behavioral relation considered in [14]. In such situation, the model 
checking problem can be reduced to implementation verification. Clearly, cf)* plays 
an analogous role of characteristic formula in a contrary way. In fact, characteristic- 
formula construction and C(-) indeed induce a Galois connection between (6, E) 
and the set of consistent prime formulae augment with some preorder [14]. In 
[1], L.Aceto et al. address the same issue, and show that, modulo the covariant- 
contravariant simulation preorder, any consistent and prime formula in the covariant- 
contravariant modal logic also admits a representation by means of process terms. 

1.3 Background and motivation 

As mentioned above, logic approaches and algebraic approaches offer complemen- 
tary advantages when specifying systems. The former is good at specifying abstract 
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properties of systems, while the latter is applicable if we intend to specify the system 
itself through describing its behavioral and structural properties. 

Impelled by taking advantage of both approaches when designing systems, so- 
called heterogeneous specifications have been proposed, which uniformly integrate 
these two specification styles. Among them, based on Biichi automata and LTS aug- 
mented with a predicate, Cleaveland and Liittgen provide a semantic framework for 
heterogenous system design [18, 19], where must-testing preorder offered by Nicola 
and Hcnnessy [48] is adopted to describe refinement relation. In addition to usual 
operational operators, such framework also involves logic connectives. However, 
since must-testing preorder is not a precongruence in such situation, this setting 
does not support compositional reasoning. Moreover, the logic connective conjunc- 
tion in this framework lacks the desired property that r is an implementation of the 
specification p A g if and only if r implements both p and q. 

Recently, Liittgen and Vogler introduce the notion of a Logic LTS (LLTS, for 
short), which combines operational and logic styles of specification in one unified 
framework [42, 43]. In order to handle logic conjunctions of specifications, LLTS 
involves consideration of inconsistencies, which, compared with usual LTS, is one 
distinguishing feature of it. Two kinds of constructors over LLTSs are considered in 
[42, 43]: operational constructors, e.g., CSP-style parallel composition, hiding and 
so on, and logic connectives including conjunction and disjunction. Such frame- 
work allows one to freely mix these two kinds of constructors, while most early 
theories couple them loosely and do not allow for mixed specification. Moreover, 
the drawbacks in [19, 18] mentioned above have been remedied by adopting ready- 
tree semantics [42]. In order to support compositional reasoning in the presence 
of the parallel constructor, a variant of the usual notion of ready simulation is 
employed to characterize the refinement relation [43]. Some standard modal oper- 
ators in temporal logics, such as always and unless, arc also integrated into this 
framework [44]. 

Along the direction suggested by Liittgen and Vogler in [43] , we propose a pro- 
cess calculus called CLL in [60] , which reconstructs their setting in process algebraic 
style. In addition to prefix a.(), external choice □ and parallel operator \\a, CLL 
contains logic operators A and V over process terms, which correspond to the con- 
structors conjunction and disjunction over LLTSs respectively. The language CLL 
is explored in detail from two different but ciquivalcnt angles. Based on behav- 
ioral view, the notion of ready simulation is adopted to formalize the refinement 
relation, and the behavioral theory is developed. Based on proof-theoretic view, 
a sound and ground-complete axiomatic system for CLL is provided. In effect, it 
gives an axiomatization of ready simulation in the presence of logic operators. 

However, due to lack of modal operators, CLL still does not afford describing 
abstract properties of systems. This paper intends to enrich CLL with temporal 
operators always and unless by two distinct approaches. One approach is to in- 
troduce nonstandard process-algebraic operators jj, w, A and to capture Liittgen 
and Vogler's constructions in [44] directly. The other is to provide graphical repre- 
senting of temporal operators always and unless in recursive manner. The latter 
is independent of Liittgen and Vogler's constructions but depends on the great- 
est fixed-point characterization obtained in this paper. Moreover, the connections 
between the resulting calculus (that we call CLLT) and ACTL [49] are explored 
from angles recalled in the preceding subsection. These connections include char- 
acteristic formulae of process terms, characteristic processes of formulae and Galois 
connection. 

The remainder of this paper is organized as follows. The next section presents 
some preliminaries. In Section 3, SOS rules of CLLT arc; introduced, the existence 
and uniqueness of stable transition model for CLLT is demonstrated, and a few of 
basic properties of the LTS associated with CLLT are given. Section 4 and 5 are 
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devoted to the study of temporal operators always jj and unless w respectively. 
Section 6 establishes a fixed-point characterization of the operator vj. Section 7 
provides a recursive approach to dealing with the temporal operator w. Section 8 
explores the links between CLLT and ACTL. Finally, a brief conclusion and discus- 
sion are given in Section 9. 

2 Preliminaries 

In this section, we shall set up notation and terminology and briefly sketch the 
process calculus CLL. 

2.1 Logic LTS 

This subsection will introduce some useful notations and recall the notion of a 
Logic LTS. Here we do not give examples motivating and illustrating the use of 
such notion, which may be found in [43, 44]. 

Let Act be a set of visible actions ranged over by letters a, h, etc., and let Actr 
denote Act U {t} ranged over by a and /3, where t represents invisible actions. An 
LTS with a predicate is a quadruple (P, Actr,^, F), where P is a set of states, 
-^C P X Actr X P is the transition relation and F C P. As usual, we write p q 
if {p, a, q) e— )■. A state q is said to be an a-derivative oi p ii p q. The assertion 

a ^ 

p holds if p has a a-derivative, otherwise p -/^ holds. Given a state p, the ready 
set of p, denoted by I{p), is defined as {a € Actr '■ P —>}■ A. state p is said to be 

T 

stable if it can not engage in any r-transition, i.e., p Some useful decorated 
transition relations are listed below. 
pAi^giffpAg and p,q ^ F. 

p 4> g iff p{^)*q, where {-^)* is the transitive and reflexive closure of 
p ^ q iS p ^ r s =^ q for some r,s € P. 

T T 

p^ \q (or, p ^ \q) iS p ^ q ^ {p ^ q y^, respectively). 

p =I>F g iff there exists a sequence of r— labelled transitions from p to q such 
that all states along this sequence, including p and q, are not in F. The decorated 
transition p-^p q may be defined similarly. 

T T 

P \q (or, p \q) iff P =^f q^ [p q 7^, respectively). 

Remark 2.1 Notice that some notations above are slightly different from ones 

adopted by Liittgcn and Vogler. In [43, 44], the notation p => \q (or, p =4> \q) has 
the same meaning as p \q (respectively, p \q) in this paper. 

Definition 2.1 ([43]) An LTS {P,Actr,^,F) is said to be a LLTS if, for each 

PGP, 

(LTSl) p G F if 3a G /(p)Vg G P(p 4 g implies q G F), 

(LTS2) p G P if -.3g G Pp 4>f \q- 

A LLTS (P, Actr, F) is said to be r — pure if, for each p £ P, p ^ implies 
^3a e Act. p A. Hence, for any state p in a r-pure LTS, either I{p) = {r} or 
I{p) C Act. 

Here the predicate F is used to denote the set of all inconsistent states. Com- 
pared with usual LTSs, it is one distinguishing feature of LLTS that it involves 
consideration of inconsistencies. Roughly speaking, the motivation behind such 
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consideration lies in dealing with inconsistencies caused by conjunctive composi- 
tion. In the sequel, we shall use the phrase ^^inconsistency predicate^^ to refer to 
F. The condition (LTSl) formalizes the backward propagation of inconsistencies, 
and (LTS2) captures the intuition that divergence (i.e., infinite sequences of r- 
transitions) should be viewed as catastrophic. For more intuitive idea about incon- 
sistency and motivation behind (LTSl) and (LTS2), the reader may refer to [43, 
44]. 

2.2 A variant of ready simulation 

In [43, 44], the notion of ready simulation below is adopted to formalize the refine- 
ment relation, which is a modified version of the usual notion of ready simulation 
(see, e.g., [25]). 

Definition 2.2 ([43, 44]) Given a LLTS (P, AcU,^, F), a relation RCPx P 
is said to be a stable ready simulation relation if, for any {t, s) € R and a G Act, 
the following conditions hold 

(RSI) Both t and s are stable; 

(RS2) t ^ F implies s ^ F; 

(RS3) t =^F \u implies 3v.s \v and {u,v) G R; 
(RS4) t ^ F implies I{t) = I{s). 

We say that t is stable ready simulated by s, in symbols t \z s, if there exists 

a stable ready simulation relation R with {t, s) G R. Further, t is said to be ready 
simulated by s, written t s, if 

yuCt 4>F jw implies 3v.s 4>f |v and u C v). 
It is easy to see that both iz and are pre-order (i.e., reflexive and tran- 

~RS 

sitive). The equivalence relations induced by them are denoted by !^rs and =rs, 
respectively, that is 

»fls = 1= n (C )-^ and =Rs = Qrs fl (Eiis)"^- 

~RS 

The notion of ready simulation presented in Def. 2.2 is a central notion in 
[43, 44, 60] and this paper. It is natural to wonder why such notion is adopted 
to formalize the refinement relation. From our point of view, whenever we try to 
mix process-algebraic and logic styles of specification in a uniform framework, the 
requirements below should be met by such framework. 

• It is well known that parallel composition and conjunction are two fundamen- 
tal ways of combining specifications: the former is adopted to structurally 
compose two or more subsystems, and the latter is used to combine speci- 
fications expressed by logic formulae. Thus such uniform framework should 
include these two constructors. 

• Since such framework involves specifications in logic style, wc shoiild take 
account of the consistency of specifications. A trivial and desired property is 
that an inconsistent specification can only be refined by inconsistent ones. 

• Such uniform framework should support compositional reasoning. Hence the 
behavior relation adopted in this framework need to be (pre) congruent w.r.t 
all operators within it. 
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Consequently, the result below reveals that it is reasonable to adopt the notion 
of ready simulation in Def. 2.2 as behavior relation when we intend to explore such 
uniform framework. 

Theorem 2.1 ([43]) The ready simulation Qrs exactly is the largest precon- 
gruence ^ w.r.t parallel composition and conjunction such that p ^ q and q & F 
implies p G F . 

Proof. See Theorem 21 in [43]. □ 

2.3 Transition system specifications 

Structural Operational Semantics (SOS) is a logic method of giving operational 
semantics, which provides a syntax oriented view on operational semantics [52]. 
Transition System Specifications (TSSs), as presented by Groote and Vaandrager 
in [31], are formalizations of SOS. This subsection recalls basic concepts related to 
TSS. Further information on this issue may be found in [9, 13, 31]. 

Given an infinite set V of variables and a signature E, we assume that the 
resulting notions of term, closed (ground) terms, substitution and closed (ground) 
substitution are already familiar to the reader. Following standard usage, the set of 
all E-terms (or, E-closed terms) over V is denoted by T(E, V) (T'(E), respectively). 

A TSS is a quadruple T = (E, ^,A, S), where S is a signature, A is a set of 
labels, A is a set of predicate symbols and S is a set of rules. Positive literals are 
all expressions of the form t ^ s ot tP, while negative literals are all expressions 

a 

of the form t -/^ or t-'P, where t,s € r(E, V), a € A and P e A. A rule r e S 
has the form like ; where prem(r), the premises of the rule r, is a set of 

(positive or negative) literals, and conc{r), the conclusion of the rule r, is a positive 
literal. Given a rule r, the set of positive premises (or, negative premises) of r is 
denoted by pprem{r) (respectively, nprem{r) ), moreover, r is said to be positive 
if nprem^r) = 0. A TSS is said to be positive if it has only positive rules. Given a 
substitution a and a rule r € S, ru is the rule obtained from r by replacing each 
variable in r by its cr-image, that is, ra = Moreover, if a is closed 

^ o ' ' conc{r)a ' 

then ra is said to be a ground instance of r. 

Definition 2.3 (Proof in Positive TSS) Let F = (E, A, A, S) be a positive TSS. 

A proof of a closed positive literal from F is a well-founded, upwardly branching 
tree, whose nodes are labelled by closed literals, such that 

• the root is labelled with ip, 

• if X is the label of a node q and {xi : z G /} is the set of labels of the 
nodes directly above q, then there is a rule {cpi : i G J}/(p in S and a closed 
substitution a such that x = ipa and Xi = ^i'^ foi' each i e 7. 

If a proof of ip from F exists, then xj) is said to be provable from F, in symbols 
Fh V- 

Given a TSS F = (E,^, A, S), a transition model M is a subset of Tr(E, A) U 
Prerf(E,A), where Tr(E,A) = T(E) x Ax T{E) and Prerf(E,A) = T(E) x A. 

Following standard usage, elements {t, a, s) and (t, P) in M are written as t A s 
and tP respectively. A positive closed literal ip is said to be valid in M, in symbols 

a 

M ^ Ip, a ip £ M. A negative closed literal t -/^ (or, ^-iP) holds in M, in symbols 
M ^ i (M 1= t-.P, respectively), if there is no s such that t s G M {tP M , 
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respectively). As usual, for a set ^ of closed literals, M \= ^ iS M \= ip for each 



Definition 2.4 Let T = (S,A,A, S) be a TSS and M a transition model. 

M is said to be a model of F if, for each r G S and cr : ^ — > r(E) such that 
M \= prem{ra), we have M \= concira). M is said to be supported by F if, for 
each S M, there exist r e S and a : V ^ ^(^) such that M \= prem{ra) and 
conc{ra) = tp. M is said to be a supported model of F if M is supported by F and 
M is a model of F. 

A natural and simple method of describing the operational nature of processes is 
in terms of LTSs. Given a TSS, an important problem is how to associate LTSs with 
process terms. For positive TSS, the answer is straightforward. It is well known 
that every positive TSS F has a least transition model, which exactly consists of 
provable transitions of F and induces a LTS naturally. However, since it is not 
immediately clear what can be considered as a "proof" for a negative formula, it is 
much less trivial to associate a model with a TSS containing negative premises [32]. 
The first generic answer to this question is formulated in [32, 12], where the above 
notion of supported model is introduced. However, this notion doesn't always work 
well. Several alternatives have been proposed, and a good ovcrvicnv on this issiic is 
provided in [26] . In the following, we recall the notions of stratification and stable 
transition model, which play an important role in this field. 

Definition 2.5 (Stratification [13]) Let F = A, S) be a TSS and C an 

ordinal number. A function S : Tr{Y,,A) U Pred{'E, A) — >■ ^ is said to be a strat- 
ification of F if, for every rule r S S and every substitution a : V — y T(T,), the 
following conditions hold. 

• S{ip) < S{conc{ra)) for each tp G pprem{ra), 

• S{tP) < S{conc{ra)) for each t^P e nprem{ra), and 

a ^ 

• S{t — >■ s) < S{conc{r(T)) for each s G T(S) and t -/^G nprem{ra). 

A TSS is said to be stratified iff there exists a stratification function for it. 

Definition 2.6 (Stable Transition Model [13, 24]) Let F = (E,^,A,E:) be a 
TSS and M a transition model. M is said to be a stable transition model for F if 



and Mstrip{r, m) is the least transition model of the positive TSS Strip{r,M). 

As is well known, stable models are supported models, and each stratified TSS 
F has a unique stable model [13], moreover, such stable model does not depend on 
particular stratification function [32]. 



where Strip{r,M) is the TSS {T,,A,A, 



Strip{E,M)) with 




(r) r is a ground instance of some rule in S 
' and M |= nprem{r) 
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2.4 Process calculus CLL 

For the convenience of the reader this subsection will briefly sketch the process 

calculus CLL proposed in [60], thus making our exposition self-contained. The 
processes in CLL are given by BNF below, where a G Actr and A C Act. 

p ::= I ± I {a.p) \ (pOp) \ ip\\Ap) \{p^p)\ (p Ap). 

As usual, is a process that can do nothing. The prefix a.t has a single capability 
expressed by a, and the process t cannot proceed until a has been exercised. □ is 
an external choice operator. \\a is a CSP-style parallel operator, ti \\a ^2 represents 
a process that behaves as ti in parallel with t2 under the synchronization set A. 
_L represents an inconsistent process which cannot engage in any transition. V 
and A are logic operators, which are intended for describing logic combinations of 
processes. In addition to operators over processes, CLL also contains predicate 
symbols F and for each a G Actr- Intuitively, given a process p, pF says that p 
is inconsistent, and pF^ says that p has a consistent a— derivative, which is useful 
when describing (LTSl) (see, Def. 2.1) in terms of SOS rules. The SOS rules of 
CLL are divided into two parts: transition rules and predicate rules, which are given 
below. 

T T 

(Rai) — (Ras) j-— (Ras) — — 

a.p p PiUp2 -> t piUp2 t 

(Ra4) (Ras) (Rae) 

Pinp2 -> tnp2 PiOp2 PiDt pi A P2 ^ ti A <2 

(Rar) (Ras) (Rag)- 



Pl Ap2 ^t Ap2 Pi Ap2 ^ Pi At Pl V P2 — > Pi 
(Raio)— 7 (Ran) — ^— (Rai2) — ^ - 

PlVp2->P2 Pi \\a P2 ^ t \\a P2 Pi \\aP2 ^ Pi \\. 

T T 

t-D \Pi-^* P2 7^ o.iA .P2-^t Pi 7^ a^A 
(R-ai3) ^— (Ra 14) a — 

Pl\\AP2^t\\AP2 Pi \\aP2 Pi llAt 

^Pi -^ti P2 ^ t2 aG A 

Pi \\a P2 a ti \\a t2 

Table 1 The transition rules of CLL 

(Rpi) (Rp2) ^ (Rps) — —ET (R.P4)- 



(Ra 



15) 



±F ^ ' a.pF ^ ' p\/qF ' ' pOqF 

(RP5)^^ (Rpe)^^ (RP7)^^ (Rps)- 



pHqF p \\a qF p \\a qF p AqF 

a T a T 

m ^ 1^ f-D ^ P^ Pii iP f^<l-f^ 1^ X « <?i, P 7^ , pAg 7^ 
(Rpg) — - — — (Rpio) z — (Rpii) z — ^ 

p AqF ^ p AqF p A qF 

Table 2 The predicate rules about F 

pAq^r r^F pAq^r pAq-^F^ 

(Rpcz,z,i2) — (RpcLLia)- 



pf\qFa pAqF 
Table 3 The predicate rules about F^ 



10 



Table 1 consists of transition rules Rai{l < i < 15), where a G Act, a e 

Actr and A C Act. Negative premises in rules Ra2, Ras, i?ai3 and Ran give r- 
transition precedence over transitions labelled by visible actions, which guarantees 
that the transition model of CLL is r-pure. Rules Rag and Raio illustrate that the 
operational aspect of ti V t2 is same as internal choice in usual process calculus. 
The rule Rae reflects that the conjunction operator A is a synchronous product for 
visible transitions. 

Table 2 contains predicate rules about the inconsistency predicate F. Although 
both and _L have empty behavior, they represent different processes. The rule 
Rpi says that _L is inconsistent, but is consistent as there is no proof of OF. The 
rule Rp3 reflects that if both two disjunctive parts are inconsistent then so is the 
disjunction. Rules Rp4 — RpQ describe the system design strategy that if one part 
is inconsistent, then so is the whole composition. The rules Rpio and Rpn reveal 
that a stable conjunction is inconsistent if its conjrmcts have distinct ready sets. 

Table 3 contains predicate rules (RpcLLi2) and (RpcLLia) which formalize 
(LTSl) in Def. 2.1 for processes with the format p A q. 

Following [43], the notion of ready simulation (see, Def. 2.2) is adopted to 
formalize the refinement relation in [60]. Moreover, a sound and ground-complete 
axiomatic system is provided to characterize the operators within CLL in terms of 
(in)equational laws in [60]. 



3 Process calculus CLLT 

This section will introduce the process calculus CLLT, which is obtained by en- 
riching CLL with two temporal operators and two useful auxiliary operators, but 
omitting all predicate symbols Fa with a G Act^. In the following, we will give 
syntax and SOS rules of CLLT, and demonstrate that CLLT has a unique stable 
model. Moreover, a number of simple but useful properties of such model are given. 

3.1 Syntax and SOS rules of CLLT 

In addition to operators in CLL, new process operators true, jj and zu, and auxiliary 
operators A and are added to CLLT. Before describing their behavior formally in 
terms of SOS rules, we give a brief, informal account of the intended interpretation 
of these operators. The constant (i.e., 0-ary operator) true represents the "loos- 
est" specification: it does not require anything except consistency, while admitting 
any possible move. The operators ft and zu are intended to capture modal opera- 
tors always and unless respectively through providing graphical representations of 
logic specifications ''always p" and "p unless q" . They turn out to be suitable in 
describing the "loosest" implementations that realize these two logic specifications 
respectively. Auxiliary operators A and themselves have little computational (or 
logic) meaning, but they are useful stepping-stones when we assign operational se- 
mantics to operators jj and vj by means of SOS rules. Roughly speaking, the whole 
point of using A (or, 0) is to record the evolving paths of processes with the format 
ftp {pzuq, respectively). 

Definition 3.1 The processes in CLLT are defined by BNF below 

p::=q \ true \ (jip) ] ( pzup) \ {p © (pojp)) | {pAp) with q € T{T,cll)- 

Here TCEcll) is the set of all processes in CLL. In the remainder, we shall 
always use ti = t2 to mean that the expressions ti and t2 are syntactically identi- 
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cal, and use the notation □ ij for a generalized external choice, which is defined 
formally below. 



Definition 3.2 Let < to,ti, . . . ,tn-i > be a finite sequence of process terms 
with n > 0. The generalized external choice □ U is defined recursively as 

1 D U = 0, 

i<0 

2 D to, 

3 □ {a U)Dtk for A: > 1. 

i<k+l i<k 

In fact, modulo =rs^ the order and grouping of terms in □ ti may be ignored 

by virtue of the commutative and associative laws [60] . Therefore we also often use 
the notation □ U to denote generalized external choice, where / is an arbitrary 

finite indexed set. 



(RaieS r (Rai7) 



true □ a.true '\\p ^ q /\p 



(Rais)- — a ^ ^ . — (Raig) ^ 



tip [q A p) A p pAr — 5- g A r 



pAr A (g A r) A r pzuq p Q (p'OJq) 



(Ra22) 7 — (Ra23) 



pzuq q r {pzuq) -> s (pzuq) 

a a 
T — ^ S ^ — ^ 

(Ra24) (Ra25) 



r [pzuq) s hq r (pzuq) A (s A p) (pzuq) 

Table 4 Additional transition rules 



(RP.) '^^ (Rpra)- 



pzjqF pAqF 

rF pF 
(Rpu) ——, tt; (Rpis)- 



Q{pwq)F ' tJpF 

a r 7-n Q 

(Rpie) '■ , where the topmost operator of p is in {A, jj, A, 0}q 

pF 

Table 5 Additional predicate rules 

Similar to CLL, the SOS rules of CLLT are divided into two parts: transition 
rules andpredicate rules. In effect these rules capture Liittgen and Vogler's con- 
structionf|3 in process algebraic style. 



^In particular, — by setting A = 0. 

true — > 

That is, p has one of the formats: r A t, 'jt, t A s and t (rvuq). 
^See Definition 9 and 10 in [44]. 
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On the side of transition rules, in addition to all transition rules of CLL (i.e., 

rules in Tabic 1), rules in Tabic 4 are adopted to describe the behavior of true, j|, 
vu, A and ©, where a G Act and A is any finite subset of Act. 

On the side of rules concerning inconsistency predicate F, rules in Table 2 are 
preserved, and rules in Table 5 are added to CLLT. Notice that the rules (RpcLLi2) 
and (RpcLLis) in Table 3 are replaced by the rule (Rpie). The motivation behind 
this modification may be found in the next subsection (see. Remark 3.1). 

Summarizing, the TSS for CLLT is Tcllt = {'^cllt, Actr, Acllt,'^cllt), 
where 

• ScLLT = {□, A, V, 0, ±} [j{a.O\a € Actr} U{IU 1^ ^ Act} [j{true, ft, w, A, ©}, 

• AcLLT = {F}, and 

• ^CLLT = {Rai, Ra25} U{^Pi> • • • > -Rpie}- 
3.2 Stable transition model of CLLT 

This subsection will illustrate that Tcllt has a unique stable model. To this end, 
a few preliminary definitions are needed. 

Definition 3.3 The degree of terms is defined inductively below 
|0| = |_L| = \true\ = 1 

\m = = 1*1 + 1 

|ii*i2| = \ti\ + \t2\ + 1 for * e {w, A, V, |U, □} 

\tiAt2\ = \tlQ{t2Wt3)\ = \ti\ 

Definition 3.4 The function S from Tr{T,cLLT, Actr) U Pred{T,cLLT, ^cllt) 
to ui+l is defined as: S{t A r) = \t\ for any t A r G TriJlcLLT, Actr), and S{tF) = 
CO for any tF G Pred{T,cLLT,AcLLT), where oj is the initial limit ordinal. 

It is easy to check that this function S is a stratification of Fcllt- Thus Tcllt 
has a unique stable transition model. Henceforward such model is denoted by 
McLLT- As usual, the LTS associated with CLLT is defined below. 

Definition 3.5 The LTS associated with CLLT, in symbols LTS(CLLT), is the 
quadruple {T{Y.cLLT),Actr,^CLLT,FcLLT) such that for any <, s G T{T,cllt) 
and a G Actr, t ^cllt s iff * s G Mcllt, and t G Fcllt iS tF G Mcllt- 

Since Mcllt is a stable transition model, which exactly consists of provable 
transitions of the positive TSS Strip{TcLLT, Mcllt), the result below follows im- 
mediately. 

Theorem 3.1 For any t,t\,t2 G T{Y,cllt) and a G Actr, we have 

(1) ti ^cllt t2 iff StripiTcLLT, Mcllt) I- ii A t2- 

(2) t G FcLLT iff Strip{TcLLT, Mcllt) f- tF. 

Proof. Straightforward. □ 

This theorem is trivial but useful. It provides a way to establish the properties 
of LTS {CLLT). That is, we can demonstrate some conclusions by proceeding 
induction on the depth of inferences in the positive TSS Strip{TcLLT, Mcllt)- In 
the remainder of this paper, we will apply this theorem without any reference. 
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Remark 3.1 Although the universal quantifier symbol does not occur in (Rpie) 

explicitly, it is not difficult to see that the premise of (Rpig) involves universal 
quantifier in spirit. Analogous to CLL, we may adopt the method given in [58] 
to avoid this. In detail, for each a G Actr, the auxiliary predicates Fa is added 
to CLLT and the rule (Rpie) is replaced by two rules below, where the topmost 
operator of p is in {A, ft, A, 0}. 

(Rpi6-l) = (Rpi6-2) 



pFo, ' ^' pF 

Similar to (Rpie), these two rules also capture (LTSl). However, it is easy 
to see that, due to two rules above, the stratifying function does not exist for 
resulting calculus. By moans of technique so-called positive after reduction [13, 
26], we can also get its stable transition model as done in [60]. Moreover, such 
stable transition model coincides with Mcllt- To avoid cumbersome reduction 
procedure, our current system employs (Rpie) instead of (Rpie-i) and (Rpi6-2)- 

Convention 3.1 For the sake of convenience, in the remainder of this paper, 
we shall omit the subscript in labelled transition relations -^cllt, that is, we shall 
use A to denote transition relations within LTS{CLLT). Thus, the notation A has 
double utility: predicate symbol in the TSS Tcllt and labelled transition relation 
on processes in LTS{CLLT). However, it usually does not lead to confusion in a 
given context. Similarly, the notation Fcllt is abbreviated to F. Hence the symbol 
F is overloaded, predicate symbol in the TSS Tcllt and the set of all inconsistent 
processes in LTS{CLLT), in each case the context of use will allow us to make the 
distinction. 



3.3 Basic properties of LTS{CLLT) 

This subsection will provide a number of simple properties of LTS{CLLT). In 

particular, we will show that LTS{CLLT) is indeed a r—pure LLTS. Wc begin with 
listing a few simple properties in the next three lemmas, which will be frequently 
used in subsequent sections. 

Lemma 3.1 Let t,p,q € T{T,cllt) and a, ^ G Actr- 

(1) a.t A r iS. a = j3 and r = t. 

(2) p V g — > r iff /3 = r and either p = rovq = r. 

(3) true -A r iS = T and either r = or r = □ a.true for some nonempty 

aeA 

finite set A C Act. 

(4) ^p ^ r iS r = pi A p for some pi with p ^ pi. 

(5) p A q ^ r iS r = pi A q for some pi with p ^ pi. 

(6) pwq A r iff ^ = T and either r = qoTr = pQ {pvjq). 

(7) t {p'cuq) A r iff r = ii {pvjq) for some ti with t ^ ti. 

(8) p'-^q -^^ r iff either (r = s'\>q and p A s) or (r = p'\>s and q s) for some s, 
where ^ e {A,n, 

Proof. For each item, the implication from right to left is obvious. The proof 
of converse implication is a routine case analysis on the last rule applied in the 
inference. As a sample case, we consider (6), the remainder may be handled in the 

similar manner and omitted. It follows from pzuq A r that Strip{TcLLT, Mcllt) I~ 

pzuq A- r. Clearly, the last rule applied in the inference has the format below 
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either — or . 

pvuq — )• q pzuq p Q {pvjq) 

Then j3 = t and either r = qovr=pQ) (pvaq), as desired. □ 
Lemma 3.2 Let t,p,q G T{Y,cllt) and a S Act. 

a a a 

(1) pHq — )■ r iff cither p ^ r and q />, or — >■ r and p 

(2) p A g A r iff p A ri, g A r2 and r = ri A r2 for some ri, r2- 

(3) A r iff r = (g A p) A p for some with p q. 

(4) p A g A r iff r = (s A A g for some s with p s. 

(5) t (pzuq) A r iff there exists s such that t A s and either r = s A g or 

r = (s Ap) © (pruq). 

a ^ a 

(6) If a ^ j4 then, pjl^g — > r iff either (r = s| | a? , <? 7^ and p — ?■ s) or (r = p| | ^s, 

r ^ 

q T^- and q ^ s) for some s. 

(7) If a G ^ then, p||a9 A r iff r = s|Ut, p A- s and g A t for some s, t. 



Proof. Analogous to Lemma 3.1, omitted. □ 

Lemma 3.3 Suppose p,q,r £ T{Y,cllt)- 
{l)pVqGFiSp,qeF. 

(2) a.p e F iff p G F. 

(3) p'^q e F m either p € F or g € F for ^ G {□, 

(4) Either p G F ov q G F implies p A g G F. 

(5) ptuq G F iff g,p (pzuq) G F. 

(6) r G F implies r A p, (Jr, r © (pwq) G F. 

(7) ^ F, true ^ F and ±G F. 



Proof. Straightforward. □ 

Lemma 3.4 LTS{CLLT) is r - pure. 



Proof. Let t s. It is enough to show that t -f^. The proof is done by induction 
on the inference Strip{TcLLT, Mcllt) I- f A s, which is a long but routine case 
analysis based on the last rule applied in the inference, omitted. □ 

Lemma 3.5 LTS{CLLT) satisfies (LTSl). 

Proof. Let t be any process and assume that \/s{t A s implies s G F) for some 
a G I{t). We intend to verify f G F by induction on t. 

• f = 0, T, true, a.p, p V g or pzuq 

Follows from Lemma 3.1 and 3.3. In particular, for t = 0, _L or true, since the 
premise does not hold at all, it holds trivially. 

• f = p A g, jip, p A g or p (rzuq). 
Immediately follows from the rule (Rpie). 

• t = pDq 
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By Lemma 3.3(3), it suffices to show that either p G F ot q £ F. Conversely, 

suppose that p ^ F and q ^ F. By Lemma 3.2 (1) and 3.1(8), we have either 
a e I{p) or a e I{q)- W.l.o.g, we consider the first alternative. If a S Act, then, 
by Lemma 3.2(1), we get 



Hence, by induction hypothesis (IH, for short), we have p € F, a contradiction. 
If a = T, then, by Lemma 3.1(8), it follows that 



Further, by Lemma 3.3(3), it follows from q ^ F that |s : p -4- s| C F. Then, 
by IH, we also obtain p e F, a contradiction. 

• t=p\\Aq 

Again by Lemma 3.3(3), it is sufficient to show that either p € F or q € F. On 
the contrary, suppose that p ^ F and q ^ F. We distinguish two cases depending 
on whether a is in A. 

Case 1 a ^ A. 

Then either a £ I{p) or a G I{q) by Lemma 3.1(8) and 3.2(6). W.l.o.g, we 
handle the first alternative. Hence 



Further, by Lemma 3.3(3), it follows from q ^ F that |s : p — )• s| C F. Then 
p € F due to IH, a contradiction. 

Case 2 a e A. 

In such situation, we get a € I{p) and a G I{q)- Then, by IH, it follows from 
p ^ F and q ^ F that there exist pi and qi such that 



Thus p\\Aq —> Pi\\Aqi and piU^Qi ^ by Lemma 3.2(7) and 3.3(3), a contra- 
diction. □ 

A simple but useful result is given below, which provides a necessary and suf- 
ficient condition for a non-stable process to be inconsistent. An analogous result 
have been obtained for CLL in [60] . 

Lemma 3.6 For any t G T{T,cllt), we have 

{!) t £ F iff Vs(t A s implies s € F) whenever r G I{t). 

(2) If < 4> |s and s ^ then f ^ F and f 4>f \s. 





s\\Aq ■■ P ^ s \ C \ s : p\\Aq s \ G F . 




p-^Pi, q-^ qi, Pi ^ F and qi ^ F. 
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Proof. Clearly, (2) immediately follows from (1). In the following, we con- 
sider (1). Assume that r G lit). Then, by Lemma 3.5, we need only show 
that the left implies the right. We can prove it by induction on the inference 
StripiTcLLT, Mcllt) I~ tF , which is a case analysis based on the format of t. As 
an instance, wc shall deal with the case t = p A q, the remainder may be handled 
in a similar way and omitted. 

Since t=pAq, the last rule applied in the inference has the format 

pAq^r {rF:pAq'^r} pF 
either — — or 



pAqF pAqF 

For the first alternative, since r S lip A q), wc get a = t by Lemma 3.4. Then 
it immediately follows that {r : p A q ^ r} C F. For the second alternative, we 
have p € F. Moreover, by Lemma 3.1(5), we get t G lip) because of r G lip A q). 
Hence, by IH, it follows that {r : p ^ r} C F. Further, since {r : p A q ^ r} = 
{r A q : p ^ r}, we obtain {r : p A q ^ r} C F hy Lemma 3.3(6), as desired. □ 

In order to show that LTS{CLLT) satisfies (LTS2), we introduce the notion of 
T— degree as follows, which measures processes's capability of executing successive 
T actions. 

Definition 3.6 The r— degree of processes is defined inductively below 

ditrue) = 1 

d{0) = d(_L) = dia.t) = whenever a G Act 
d{T.t) = d{t) + 1 

d{tiwt2) = diti V ^2) = ma.x{d{ti), ^(^2)} + 1 
d{ti A t2) = d{ti\\At2) = d{tiat2) = d{ti) + d{t2) 
d(tti) = d{t A ti) = d{t {tiwt2)) = d{t) 

Lemma 3.7 lit then d{r) < d{t) for any t,r e T{T,cllt)- 

Proof. Proceeding by induction on the inference StripiTcLLT, Mcllt) t — > r, 
which is a routine case analysis on the last rule applied in the inference. □ 

This elementary property makes it effective to apply the induction on the r— degree 
in the next proof. 



Lemma 3.8 LTS{CLLT) satisfies (LTS2). 



Proof. Let t G T{T,cllt) with t ^ F. It suffices to find p such that t \p- 
We prove it by induction on the r— degree of t. Assume that it holds for all p with 
dip) < dit). If t is stable, then t \t follows from t ^ F. Next we consider 
another case where r G I{t). Since t ^ F and r G I{t), by Lemma 3.6(1), we have 
t s for some s. Hence d{s) < d{t) by Lemma 3.7. Thus s 4>ir |r for some r due 
to IH. Then t 4>f I'', as desired. □ 



Now we get the main result of this section as follows. 
Theorem 3.2 LTS{CLLT) is a t - pure LLTS. 
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Proof. Obvious from Lemma 3.4, 3.5 and 3.8. □ 



In contrast with usual process calculuses, one of features of LLTS-oriented pro- 
cess calculuses is that these calculuses take into account consistency of processes. 
The inconsistency predicate is central to the description of behavior. We often need 
to prove that a given process p is consistent, which boils down to show that there 
is no inference for pF in Strip{TcLLT, Mcllt)- To this end, we introduce the 
notion below, which is useful for demonstrating the consistency of processes. The 
motivation behind this notion is that we intend to establish the consistency of a 
given process based on the well-foundedness of proof trees. 

Definition 3.7 (F— hole) A set Q of processes is said to be a i^-hole if, for each 
q any proof tree of Strip{TcLLT, Mcllt) I~ qF has a proper subtree with the 
root labelled with uF for some u Gfl. 



As the name suggests, each process in a F— hole is not in F. Formally, we have 
the result below. 



Lemma 3.9 If is a F-hole then n f = 0. 



Proof. Conversely, suppose that f2 fl F 7^ 0, say, q gQCi F. Thus there exists a 
proof tree of Strip^TcLLT, Mcllt) I~ qF. However, by Definition 3.7, such proof 
tree is not well-founded, which contradicts Def. 2.3. □ 

Therefore, in order to verify that a given process p is consistent, it suffices to 
provide a _F— hole including p. The next lemma has been showed for CLL in pure 
process-algebraic style in [60], where the proof essentially depends on the fact that, 
for any process t within CLL and a G Actr, t is of more complex structure than 
its a-derivatives. Unfortunately, such property docs not always hold for CLLT. For 
instance, consider processes true, pAr and r (pzuq). Here we give an alterna- 
tive proof for it and indicate how the notion of F— hole may be used to show the 
consistency of a given process. 

Lemma 3.10 If s C r, s C t and s 4 F then r At 4 F. 



Proof. Put 



= \piAp2-q^ Pi,q^ P2 and g ^ F L 

L ~RS ~RS J 



It is enough to show that 17 is a F— hole. Let pi Ap2 € and 9 be any proof 
tree of pi Ap-zF. Thus q \Z pi-q n p2 and g ^ F for some q. So, it follows that 

~RS ~RS 

T 

I{Pi) = I{P2) = I{q)^ Pi ^ F and p2 ^ F. Further, since pi Ap2 -/^, the last rule 
applied in 3 has the format below 

Pi A P2 -^> IrF : pi Ap2 ri 

5^ ^ for some a € Act. (3.10.1) 

P1AP2F ^ 

Hence a G I{q). Moreover, by Lemma 3.5 and 3.8, it follows from q ^ F that 
Q \qi for some qi. Since q d pi and qn p2, there exist Tj, tj with i < n 

and j < m such that pi ri -^f r2... -^f , P2 -^f ti -^f t2... -^f \tm and 

qi C. rn and qi C tm- (3.10.2) 

~iJS ^RS 
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Moreover, we also have pi A p2 — ''i A ti and 



ri A ti A ... A r„ A ti H> ... A r„ A t^. (3.10.3) 

Then, by (3.10.1), 9 contains a proper subtree Si with the root labelled with 
ri A tiF. On the other hand, it follows from (3.10.2) that Vn Atm G SI. Thus, to 
complete the proof, it suffices to show that 3 contains a proper subtree with the root 
labelled with r„ A tmF. li m = n = 1, this holds obviously due to ri Ati = r„ A tm- 
Otherwise, w.l.o.g, we assume n > 1. Hence ri A ti is not stable. Moreover, since 
^15^1 ^ F, the last rule applied in 9i is 



ri Ati ^ s, |rF : n A A r| 



n AtiF 

Thus SJi contains a node labelled with r2 A tiF. By repeating this procedure 
along (3.10.3), it is easily seen that 3 contains a proper subtree with the root 
labelled with r„ A tmF, as desired. □ 

We end this section with recalling some useful properties of the operator A, 
which has been obtained in [43] and [60] in different style. 

Lemma 3.11 For any process pi, p2 and q, we have 

r r 

(1) piA P2 C Pi for i = 1,2 whenever pi -/^ and p2 7^, 

(2) if g C pi and q C P2 then q d pi Ap2, 

~RS ~RS ~RS 

(3) piA p2 ^RS Pi for i = 1, 2, and 

(4) if q Qrs Pi and q C^s p2 then q d^s P\Ap2- 

Proof. A proof in pure process-algebraic style has been given in [60]. Here 
we only draw the outline of its proof. Item (3) and (4) follow from (1) and (2), 
respectively. For (1) and (2), we set 



R\ = \{s At,s) : s At -f^) and R2 = \{s,r At) : s d r and sd t 

y ) y ~Rs ~fls 

It suffices to show that these two relations are stable ready simulation relations. 
Notice that Lemma 3.10 is used to prove that R2 satisfies (RS2) and (RS3). For 
more details we refer the reader to [60]. □ 

It is an immediate consequence of the above lemma that, modulo =b.s (or, «ijs), 
the operator A satisfies the idempotent, commutative and associative laws. 



4 The operator {j 

This section aims to explore properties of the operator ji. In particular, we shall 
characterize processes that refine processes with the format jjp. This result sup- 
ports the claim that the operator jj captures the modal operator always. Since the 
behavior of tt is described in terms of A, we will study the latter firstly. 

Lemma 4. 1 If p C rAt and p =§>f \pi then pi d {s Au) At ior some s and 

~RS ~RS 

u such that r =>ir \s and t =>ir \u. 



19 



Proof. Since p \Z rAt and p \pi , Pi C q for some q with rAt \q- 

~RS ~RS 

T 

Then it follows from rAt that rAt A-p qi^p \q for some qi. Further, by Lemma 
3.1(5)(8) and 3.2 (4), there exist ri, r2 and ti such that qi = {riAt)At with r ri, 
and q = {r2 A ti)At with t 4>ir \ti and ri 4>ir |r2 . Hence pi C (r2 A fi)At with 

t =^p \ti and r =>ir |r2 , as desired. □ 

A simple method for showing that one process simulates another one is to find 

a stable ready simulation relating them. It is well known that up-to technique is a 
tractable way for such coinduction proof. Here we introduce the notion of a stable 
ready simulation up to C as follows. 

~RS 

Definition 4.1 (stable ready simulation up to C ) A binary relation R C 

^RS 

T{T,cllt) X T{T,cllt) is said to be a stable ready simulation relation up to C 
if for any {t, s) £ R, it satisfies (RSI), (RS2), (RS4) in Def. 2.2 and 

(RS3-up to) t =4>F |ti implies 3si(s =5>f |siand (ii,si) & Ro c ) for any 
a e Act. 



As usual, given a relation R satisfying the above conditions, R itself is not in 

general a stable ready simulation relation. But the simple result below ensures that 
up-to technique based on the above notion is sound. 

Lemma 4.2 If is a stable ready simulation relation up to C then RC \z 

'^RS 

Proof. Due to the reflexivity of C , we have R C _Ro □ . Thus it suffices to 

~RS ~B.S 

show that Ro c is a stable ready simulation. For any pair (s, t) G Ro □ , based 
on Def. 4.1 and the transitivity of C , it is straightforward to check that {s,t) 
satisfies four conditions in Def. 2.2. □ 

Lemma 4.3 If p C uAt then p iZ u. Hence uAt \^rs u for any u and t. 
Proof. Set 

R = < {q, s) : q sAr for some r 

I '^RS 

We wish to prove that R is a stable ready simulation relation up to C . Let 

{q, s) e R. Then q n sAr for some r. Thus both q and sAr are stable. By item 

~RS 

(5) in Lemma 3.1, so is s. Hence (RSI) holds. 

(RS2) Suppose q ^ F. Due to q CI sAr, we get sAr ^ F, which implies s ^ F 

by Lemma 3.3 (6). 

(RS3-upto) Let q ^p |gi . Since q □ sAr, by Lemma 4.1, gi c (si Ari) Ar 

~RS '^RS 

for some ri and si such that r ^p \ri and s ^p |si. Thus {qi,si Ari) e R. 
On the other hand, by item (1) in Lemma 3.11, we get Si A ri C Si. Hence 

(gi, si) € Ro d and s ^p \si , as desired. 

^RS 

(RS4) li q ^ F then it follows from q C sAr that I{q) = J(sAr), and hence 

•^RS 

I{q) = I{s) by Lemma 3.2 (4). □ 
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Notation 4.1 For a more convenient notation, we introduce the notations below. 

(1) Following [44], the notation is used to stand for [J ^p. 

aeAct 

(2) The notation p C.'^g t means that Vn e wVpo, Pi, ■■■ Pn {p \po =^ f \pi 

Act 

... \pn implies p„ \^rs t). 

V7 j\ct Act 

(3) The notation p d t means that Vn G ui'^Po, Pi,--- Pn{p ^ f \po ^f 

Act 

\pi - ^P \Pn implies ])„ C t). 

The next two results provide a necessary condition for a process to refine , 
where the refinement relation is captured by C and respectively. 

Lemma 4.4 If p c U then p t. 

~RS ~RS 

A.ct A.ct Act 

Proof. Assume that p =^f \po =¥■ f |pi ••• =^ f bn • If it were true that 
p„ C {r At) At for some r (4.4.1) 

^RS 

we would have p„ C t by Lemma 4.3 and 3.11 (1), and hence the proof would 

~RS 

be complete. In the following, we thus intend to prove (4.4.1) by induction on n. 

For the induction basis n = 0, we have p ^p Ipofor some a G Act. It follows 
from p c ^t that po C ti for some fiwith jjt \ti • Due to the stableness of 

~iJS ~RS 

^t, we get ^t A-p t2^F |tifor some t2. Then, by Lemma 3.2 (3), t2 = {s /\t) At for 
some s. Further, by Lemma 3. 1 (5) (8) and 3.3 (6), it follows from (s At) At 4>f |ii 
that there exist t^ and si such that t ^p \tz, s ^p \s\ and t\ = (si Ats) At. Since 
t is stable, we get t = ts. Thus po C (si At) At, as desired. 

~RS 

For the induction step n = A; + 1, suppose that p => f bo \pi --- f 

\Pk \Pk+i - By IH, Pk CI {s At) At for some s. Then, by Lemma 4.1, it 

a 

follows from pk ^f \pk+i and t -/^ that Pk+i C {r At) At for some r. □ 

This result is of independent interest, but its principal significance is that it will 
serve as a stepping stone in demonstrating the next lemma. 

Lemma 4.5 p (jt implies p t. 

s Act A.ct Act 

Proof. Assmne that p =>p \po =^ p \pi 1^2 ••• ^ f bn • We intend to prove 
that Pn t. The argument splits into two cases depending on whether t is stable. 

T 

Case 1 t y>. 

T 

So, ^t -/^. Then it follows from p C/jg ^t and p ^p bo that po C ^t. Hence 

'^RS 

T T 

Pn CI thy Lemma 4.4. Consequently, Pn Qrs t holds due to t 7^ and p„ 7^. 

'^RS 

Case 2t^. 

Since p ^p bo and p [jt, it follows that po C to for some to with ^t ^p 

~RS 

\to. By Lemma 3.1(4) and 3.3(6), there exists r such that to = ''At and t ^p \r . 
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Thus, by Lemma 4.3, we have po CI r. If n = then po ^rs t comes from po -f^ 
and t \r . We now turn to the case n > 1. Due to po C rAt, applying Lemma 
4.1 repeatedly, it may be proved without any difficulty that Pn CI {s Ati) At for 
some s and ti such that t 4>ir \ti . Further, by Lemma 4.3 and 3.11(1), we have 
Pn C s A ti C ti. Then it follows from p„ -/^ and t =^f \ti that Pn Ei?S D 

~RS ~RS 

The converse of the above lemma also holds. However, its proof is far from 
straightforward. A few of preliminary results are needed. Two results concerning 
consistency are given firstly. 

Lemma 4.6 Let p and t be any process such that p t, and put 

= |r At : 3qQ,qi,...,qn (p 4>f |go \qi - \qn r ^ |. 
Then f2 is a F— hole. 

€ Act 

Proof. Let rAt e il. Then there exist po,pi,P2---Pn such that p \pq ^ f 

Act 

\pi ... ^F \Pn andp„ C r. Let 3 be any proof tree of Strip{TcLLT, Mcllt) ^ 

~ RS 

r A tF. Since Pn CI r and pn ^ F, we get r <^ F. Moreover, r A /: is stable due to 

~RS 

T 

r 7^ and Lemma 3.1(5). Thus the last rule applied in 9 is of the format below 
rAtA-u, |gF:rAtAg| 



r AtF 



for some a e Act. (4.6.1) 



Due to p„ IZ r and p„ ^ F, we have I{Pn) = I{r) = I{rAt) by Lemma 3.2(4). 

-^RS 

Hence a G I{Pn)- Moreover, by Lemma 3.5 and 3.8, it follows from Pn ^ F that 
Pn \Pn+i for some Pn+i- Then, due to p„ C r, there exist ri and r2 with 

r A-F r-i =>F |r2 and pn+i C r2. 

Moreover, Pn+i Eijs * because of p Hence Pn+i C ti for some ti 

with f =>ir Ifi . Thus, by Lemma 3.11 (2), it follows that Pn+i C r2 A ti. Hence 

(^2 Ati) At G ri. Consequently, in order to complete the proof, it is enough to show 
that Q contains a proper subtree with the root labelled with (r2 A ti) A tF. Next 
we shall prove this. 

By Lemma 3.2(4) and 3.1(5), it follows from r A-f ri ^f \r2 and t 4>ir \ti that 

r At A (n At) At 4> |(r2 Ati) At. 

Hence, by (4.6.1), 3 contains a proper subtree with the root labelled with (n A 
t) A tF. Obviously, if {n A t) A t is stable then (n A t) A t = (r2 A ti) A t, and 
hence 9 contains a node labelled with (r2 Ati) AtF, as desired. In the following, we 
handle the nontrivial case (ri At) At In such situation, there exist si, S2, Sm 
such that 

n A t A si A S2 ••• Sm k2 A ti , and (4.6.2) 

(n At) At ^- si At 4 S2 At 4 ... 4 Sm At 4 |(r2 Ati) At. (4.6.3) 
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On the other hand, due to Pn+i ^ F and Pn+i C r2 A fi, we get r2 Ati ^ F. 
Then, by Lemma 3.6(1) and (4.6.2), it is easy to see that 

ri At ^ F and Si ^ F with 1 <i <m. 

Thus, for each u € {ri A |J {sj : 1 < i < m}, the last rule applied in any proof 
tree of Strip{TcLLT, Mcllt) \- u AtF must be of the format below 

uAt^r, ^qF:uAt^q^ 

Therefore, by (4.6.3), it follows that 3 contains a proper subtree with the root 
labelled with (r2 A ti) A tF, as desired. □ 

With the helping of this result, we shall prove the assertion below, which is a 
crucial part of the proof for the converse of Lemma 4.5. 

Lemma 4.7 If p t and p ^ F then jji ^ F. 

Proof. Since p ^ F, hj Lemma 3.8, there exists qo such that p 4>f \qo ■ Then 
90 EfiS t due to p t. We distinguish two cases depending on whether t is 
stable. 

Case 1 t 

In such situation, since qo t, there exists ti such that qo C ti and 

t \ti . Then [It |ti A t by Lemma 3.1(4)(5). On the other hand, by Lemma 
3.9 and 4.6, it follows from p 4>f C h that tiAt 4 F. Thus 'it 4 F hy 

Lemma 3.6(2). 

r 

Case 2 t -/^. 

Assume that ^t G F and let be any proof tree of Strip{TcLLT, Mcllt) I~ UF- 

T g 

Since t is stable, so is by Lemma 3.1(4). Moreover, it follows from t -fr,p =>f |9o 
and go EflS * that qo \Z t and t 4l F. Thus the last rule applied in 9 is of the 

format below 

tiiAu, {qF-4t^q\ 

for some a G Act. (4.7.1) 

Since go 1^ i and qo ^ F, by Lemma 3.2(3), we have /(go) = I{t) = /(ttt). 
Hence a € /(go). Further, by Lemma 3.5 and 3.8, it follows from qo ^ F that 
Qo l^i for some gi. Thus there exist ti and t2 such that 

t ti 4>F 1*2 and gi C i2. (4.7.2) 

Clearly, we also have 

tti A (ii Ai) Af 4> 1(^2 At) At. (4.7.3) 
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Since p =^f ko =^f \qi and p t, we obtain qi ^rs t. Then qi \Z t 

~RS 

T 

because of t which, together with (4.7.2), imphes that qi \Z t2 At hy Lemma 

~RS 

3.11(2). From this and p ko \qi , we conclude {t2 A t) A t ^ F hy Lemma 
3.9 and 4.6. Then, by Lemma 3.6(2), it foUows from (4.7.3) that {h At) At F. 
But we also have {ti At) At ^ F due to (4.7.1) and (4.7.3), a contradiction. □ 

In addition to preceding two lemmas, the next result will be applied in demon- 
strating the converse of Lemma 4.5. 

Lemma 4.8 Let p and t be any process such that p t. For any process 

u and V, if 3uo, ui, U2...Uri-i (p =^f Wo =§*f \ui ■■■ =^*f \un-i =§*f \u) and 
u n. V then u n. v At. 

~RS ~RS 

Proof. Set 

{/ q \Z r and \ 

{q,rAt):3qo,q,,...,qn-i( , ^ . 

\ P=^F \qo \qi ■■■ ^F Wn-l ^F\q / J 

Obviously, it suffices to show that i? is a stable ready simulation relation. Sup- 
pose {q, r At) E R. Then it is easy to see that both q and r A t are stable, and 
r At ^ F hy Lemma 3.9 and 4.6. Moreover, by Lemma 3.2(4), since q ^ F and 
q \Z r, we also have I{q) = I(r) = I{r A t). Thus it remains only to prove that 

~RS 

the pair (g, r At) satisfies (RS3). 

Let q ^F \s ■ Then s Qrs t due to p t. Moreover, it follows from q \Z r 

~RS 

that s \Z Ti for some ri with r ^f l^i ■ On the other hand, since s CZrs t and 

~RS 

s ^F \s , we have s \Z ti for some ti such that t =^f \ti ■ Hence s n. ri A ii by 

^ RS ^ RS 

Lemma 3.11 (2). Thus (s, (ri A ti) At) eR. 

a a ^ 

Next we shall show that r A t =>f \(ri A ti) A t . Since r =>f l^i and r -/^, 
we have r -%f v ^f \fi for some v. Then, by Lemma 3.2(4), it follows that 
r At A [v A t) A t. Further, by Lemma 3.1(5), it follows from t 4>f l^i and 
V ^F \ri that 

r Ai A (i; At) At 4> |(ri Ail) Ai. (4.8.1) 
Moreover, since q =4>i? |s C ri A ti, by Lemma 3.9 and 4.6, we get (ri A 

~RS 

ti) At ^ F. Then, by Lemma 3.6(2), it follows from r A i ^ F and (4.8.1) that 
r A t 4>_F |(ri A ii) A t , as desired. □ 

We are now ready to prove the converse of Lemma 4.5. 

Lemma 4.9 p t implies p ^rs tJt- 

Proof. Let p =>f \s ■ It is enough to find q such that jji 4>f \q and s \Z q. We 

~RS 

consider two cases below. 
Case 1 i A. 

®It means p \u whenever n = 0. 
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Since s t and s =>ir Is , there exists r such that s C r and f =>f k • Then 
s C r A f by Lemma 4.8. On the other hand, by Lemma 3.1(4)(5), it follows 
from t \r that jjt =5> \r At. Moreover, r At ^ F due to s □ r At and s ^ F. 

~RS 

Hence tli =>f |r" A f by Lemma 3.6(2). Consequently, r A t is exactly one that we 
seek. 

r 

Case 2 t 

In such situation, since s Qrs t and s 4>ir \s, we have s C t. Moreover, jjt 

r 

is stable because of t -f^. To complete the proof, it suffices to prove that s C %t. 

^RS 

Put 

^ = {(s.ttt)}Uc . 

^RS 

We intend to show that iZ is a stable ready simulation relation. Clearly, since 

both s and \t are stable, it is enough to prove that the pair (s, %t) satisfies (RS2)- 
(RS4). By Lemma 4.7, we have fti ^ F. So, (s,tJt) satisfies (RS2). Moreover, by 
Lemma 3.2(3), it follows from s ^ F and s C t that /(s) = /(t) = /(ftt), that 

is, such pair satisfies (RS4) . The remaining work has then to be spent on checking 
(RS3). 

Let s =§>F |<Z- Clearly, it suffices to find a process w such that '^t |w and 
g C u>. It follows from s C t that q C t\ for some ti such that t \ti . 

~RS ~RS ~RS 

T 

Then, due to t -/^, we have t A-p v ^p \ti ^ov some v. Hence, by Lemma 3.2(3) 
and 3.1(5), it follows that 

'itA-{vAt)At4^\{tiAt)At. (4.9.1) 

€ a ^ 

On the other hand, since p =>_f \s =>f \q, P Cro t and t 7^, we get q d t. 

~RS 

Thus q n ti A t hy Lemma 3.11(2). Further, by Lemma 4.8, it follows that 
q \Z {ti At) At , and hence (ti A t) A t ^ F. Then, by Lemma 3.6(2). it 

~RS 

comes from ^t ^ F and (4.9.1) that fti \{ti At) At. Consequently, the process 
{ti At) At is one that we need. □ 

The development so far can be summarized in the following theorem, which 
provides a natural and intrinsic characterization of processes that refine ones with 
the format jtt. 

Theorem 4.1 For any process p and t, we have 

(1) pEfls it iS pQls t- 

(2) pC iti&pcy t whenever p and t are stable. 

Proof. Immediately follows from Lemma 4.9, 4.5 and 4.4. In particular, by 
Lemma 4.9, it is a simple matter to verify the implication from right to left in item 

(2).n 

As an immediate consequence of the above theorem, we have the result below, 
which reveals that both IZ and Qrs are precongruent w.r.t the operator jj. 

Corollary 4.1 (Monotonicity Law for ()) t ^rs s implies jjt ^rs ^s. Hence 

it IZ tts whenever t \Z s. 

~RS '^RS 
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Proof. Suppose that t Qrs s. Then it follows from Theorem 4.1 and the 

transitivity of Qrs that, for any process p, p Qrs U implies p Qrs tt*- Further, 
due to the reflexivity of ^rs, we have I^rs tts. □ 

We conclude this section with proving that Qrs is also precongruent w.r.t the 
operator A. To this end, a preliminary result concerning inconsistency predicate is 
given below. Although it can be proved by an analogous argument of Lemma 4.6, 
for the sake of integrality, we still show it in detail. 

Lemma 4.10 The set is a F— hole, where fl is given as 

n = <r At : 3p, u { p d r , u Qrs t and p Au ^ F 

Proof. Suppose r A t G Cl. Then there exist p and u such that p A u ^ F, 
u Eijs t and p C r. Let 3 be any proof tree of StripCTcLLT, Mcllt) I~ r A tF. 

Since p Au ^ F, we have p ^ F hy Lemma 3.3(6). Hence r ^ F due to p C r. 

r 

Moreover, by Lemma 3.1(5), r At is stable because of r -f^. Thus the last rule 
applied in S has the format below 

rAt^w, [qF:rAt^q\ 

\ — for some a G Act. (4.10.1) 

r AtF 

By Lemma 3.2(4), since p IZ r and p ^ F, we get I{p) = I{r) = I{r A t). 

~RS 

Hence a € I{p) — I{p A u). Moreover, by Lemma 3.5 and 3.8, it follows from 
p Au ^ F that p A u -%f s \v for some s and v. Further, by Lemma 3.2(4), 
we obtain s= {pi /\u) Au and v = (p2 A wi) A w for some pi, p2 and ui with 

p Ai? pi |p2 and u \ui. 
Then it follows from p □ r and u Cjjs t that there exist ti,ri and r2 such 

~RS 

that p2 C r2 with r — >i? ri |r2 , and ui \Z ti with t =^f \ti ■ By Lemma 

~RS ~RS 

3.11(1)(2), 3.2(4) and 3.1(5), this clearly forces p2 A ui C r2 A ti and 

~RS 

r At A- {n At) At 4- |(r2 Ail) At. (4.10.2) 
Further, due to v = {p2 Aui) Au ^ F and u Qrs t, we have 

(r2 Ail) Ai e fi- 

Then it remains to show that 9 contains a proper subtree with the root labelled 
with (r2 Ail) AtF. By (4.10.1) and (4.10.2), 9 contains a proper subtree with the 
root labelled with (ri A i) A tF. If (n A i) A i is stable then 3 contains a node 
labelled with (r2 Ati) AtF because of (ri A i) A i = (r2 A ii) A i. In the following, 
we consider another case (ri A i) A i In such situation, there exist Si, S2, Sm 
such that 

ri A i A si A S2 ... Sm A \r2 A ii , and (4.10.3) 

(n A i) A i 4 si A i 4 ... 4 s„ A i 4 |(r2 A ii) A i . (4.10.4) 

Since v = {p2 A Ui) A u ^ F, by Lemma 3.3(6), we got p2 A ui ^ F. Then 
r2 A ii ^ F due to p2 A ui C r2 A ii. Hence, by Lemma 3.6 (1) and (4.10.3), it is 

evident that 
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ri At ^ F and Si ^ F for each i with l<i<m. 

Thus, for each w € {ri A t}\J {si : 1 < i < m}, the last rule applied in any proof 
tree of Strip{rcLLT, Mcllt) \- w AtF must be of the format below 



wAt^u, ^qF:wAt^q^ 



wAtF 

Consequently, by (4.10.4), it is not difhcult to see that S contains a proper 
subtree with the root labelled with (r2 Ati) A tF, as desired. □ 

Theorem 4.2 (Monotonicity Law for A) For any process ti, pi (i ~ 1,2), we 
have 

(1) If pi □ P2 and ti C_Rs t2 then pi A ti \Z P2 A ^2- 

~RS ~RS 

(2) If pi Qrs P2 and ti Qrs ^2 then pi A ti Qrs P2 At2. Hence I^rs is a 
precongruence w.r.t the operator A. 

Proof. (1) Set 



R = i (p At, q Aw) : p n q and t Qrs w > . 

{ ~RS J 

It suffices to show that i? is a stable ready simulation relation. Let {p At, q Aw) 
e R. Hence p d q and t Qrs w. Then, by item (5) in Lemma 3.1, both p At 

and q Aw are stable, that is, (RSI) holds. Moreover, it immediately follows from 
Lemma 3.9 and 4.10 that (RS2) holds. 

(RS3) Let p At \u. Hence p At -^p s |w for some s due to (RSI). 
Further, by Lemma 3.2(4), we get s = {pi At) At and u= {p2 A t{) A t for some 
Pi, P2 and ti such that 

P Pi 4>f \P2 and t 4>f \ti ■ 
Then it follows from pn q and t ^rs w that there exist Wi , qi and q2 such 
that ti C Wi with w \w\, and P2 C q2 with q A-p qi =l>jr \q2 ■ Hence, by 
Lemma 3.2(4) and 3.1(5), we obtain 

q Aw A- {qi Aw) Aw A \{q2 A u.'i) A w. (4.2.1) 

Moreover, by Lemma 3.11 (1)(2), we have P2 Ati d q2 A Wi. Combining this 
with t C_R5 w we conclude that 

{{P2 A ti) A t, {q2 A wi) Aw) eR. 

On the other hand, by Lemma 3.9 and 4.10, it follows from p At ^ F and 
{p At, q Aw) € R that q A w ^ F. Similarly, we also have {q2 A wi) A w ^ F. 
Further, by (RS2), (4.2.1) and Lemma 3.6 (2), it follows that 

q Aw -%p (gi Aw) Aw 4>f |(?2 A wi) A w. 

(RS4) Assume that pAt^F. Then p ^ F by Lemma 3.3(6). Thus it follows 
from p □ q that I{p) = I{q). Further, by Lemma 3.2 (4), we get I{p A t) = 

~RS 

I{p) = I{q) = I{q Aw), as desired. 

(2) Suppose pi A ii 4>F |w. The task is now to seek t such that p2 At2 =>f \t 
and u \Z t. By Lemma 3.1(5), we get u = s Ati for some s with pi ^p \s . 

^RS 
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Moreover, since pi Qrs P2, we have s d for some w with p2 =^f \w. Then 

P2 A t2 1^ A t2 by Lemma 3.1(5). On the other hand, by Lemma 3.9 and 4.10, 
it follows from s c w, ti Qrs ^2 and u = s Ati 4l F that w At2 i F. So, by 

Lemma 3.6, we have p2 At2 =>f |w A ^2 • Moreover, by item (1) in this lemma, it 
follows from s \Z w and <i ^rs i2 that u = s Ati \Z w At2- Therefore w At2 

~RS ^RS 

indeed is one that we need. □ 

By the way, according to item (1) in the above theorem, it is obvious that IZ 

~RS 

is also a precongruece w.r.t the operator A, that is, pi A ti d P2 A t2 holds 
whenever pi C p2 and ti d t2- 

""RS ""RS 

5 The operator zu 

This section will focus on the temporal operator w, and characterize processes that 
refine processes with the topmost operator vj. Since the auxiliary operator plays 
an important role in describing the behavior of w, we begin with exploring the 
properties of it. We first want to indicate some simple properties. 

Lemma 5.1 For any process s,t,p and q, we have 

(1) If s C t(D (p-cuq) then s IZ t. 

~RS ~RS 

T 

(2) t {pwq) IZ t whenever t 

(3) 1 (pwg) t. 

Proof. (1) Set 

R = < {u,v} : u n V Q {rzuw) ?[j CI 

I '^RS J '^RS 

We intend to show that i? is a stable ready simulation up to C . Suppose that 

'^RS 

ud vQ (rzuw). It is straightforward to verify that the pair {u, v) satisfies (RSI), 

~RS 

(RS2) and (RS4). To deal with (RS3-upto), we suppose u =^f |wi • It suffices to 
find vi such that v \vi and {ui,vi) £ Ro c 

~RS 

Clearly, it follows from tt IZ v Q (rzuw) that wi Z t for some t with v 

~RS ~RS 

(rzuw) |t. Since v (rzuw) is stable, there exists ti such that v (rzuw) — >f 
ti =I>F \t- We proceed by considering two cases depending on the last rule applied 
in the proof tree of StripiTcLLT, Mcllt) \- v Q (rzuw) A ti. 

a 

Case 1 



V (rzuw) s Aw 

Then ti = s Aw. Moreover, by Lemma 3.1(8), t = si Awi for some si, wi such 
that s 4>ir |si and w 4>ir \wi . Thus v \si ■ On the other hand, by Lemma 
3.11(1), it follows that ui C t = si Awi \Z si. Then {m, si) G Ro \z due to 

RS RS RS 

C C iJ. 

Case 2 



V {rzuw) A (s A r) [rww) 
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Hence ti = {s Ar) Q (rzuw). By Lemma 3.1(7) and (8), t = (si A ri) {rmw) 
for some Si, ri such that s \si and r =I>f • Thus it follows from m d t = 

~RS 

(si A ri) © (rtu?/;) that {ui, (si A ri)) 6 R. Moreover, by Lemma 3.11(1), we also 

have ,si A ri IZ .s'l. Hence .si) <E R o \z and v ^f \si ■ as desired. 

' ~ RS 

(2) Immediately follows from the item (1) and t (pzuq) \Z t Q {pvjq). 

~RS 

(3) Let tQipvjq) =>f \s ■ By Lemma 3.1(7) and 3.3(6), s = rQ{pzuq) for some r 
such that t 4>ir |r . Moreover, by item (2) in this lemma, we have s = rQ{pzuq) □ 

~RS 

r. □ 

The next result provides a necessary condition for a process to refine tiwt2- 
Before giving it, for the sake of convenience, we introduce the notation below. 

Notation 5.1 For any process p, ti and t2, the notation p □'^^ ti t ^2 is used 

to stand for Vn G wVpo, Pi, — (p =>f m =>f |pi — =>f \Pn implies p„ C^jg 
or 3i < n(pi Cjjg tj))- 

Lemma 5.2 If p ^rs t\wt2 then p t\ t ^2- 

Proof. Assume that p 4>f |po Ipi =^V |p2 ••• |Pn • We intend to prove 
that either p„ ^rs ti or 3i < n{pi Qrs ^2) by induction on n. 

For the induction basis n = 0, since p ^rs tizut2 and t-iwt2 is not sta- 
ble, there exist ,s and si such that tiwt2 -^f s ^f \si and po C Si. The 

~RS 

argument splits into two cases based on the last rule applied in the inference 

StripiVcLLT, Mcllt) ^ tiWt2 A s. 

Case 1 



1x^12 t2 



Thus s = t2 and t2 =>f |si • Then it follows from po C si that po Qrs t2- 
Case 2 



titi7t2 ti (tin7f2) 

Then s = ti Q {tiwt2)- Moreover, by Lemma 3.1(7), Si = uQ {tiwt2) for some 
u with ti 4>ir \u. By Lemma 5.1(1), it follows from po CI si =uQ {tiwt2) that 

Po C u. Hence po Qrs h. 

'^RS 

For the induction step n = fc + 1, by IH, we have either 3i < k{pi C^s ^2) or 
Pk ^RS h- If the former holds, then we get 3i < k + l{pi Qrs ^2) immediately. In 
the following, we consider another case where -i3i < k{pi Qrs t2)- 

Since p Qrs tiwt2 and pi f \Pi+i for any i < k + 1, there exist vq, ri, ... 
Tfe+i such that timt2 =>f \ro , Vi "^^V ki+i and Pi C for each i < k + 1. To 

'^RS 

conclude the proof, we need the claim below. 
Claim 1 For each j < k, rj = v Q {tiwt2) for some v. 

We proceed by induction on j. For the induction basis j = 0, due to tizut2 
we obtain timt2 — >_f s =^f l^o for some s. It is easy to see that either s = t2 
or s = (tizut2). If the first alternative holds, then pq Qrs ^2 by the similar 
argument applied to Case 1 in the above. This contradicts the assumption that 
^^.j < k(pj ^2)- Hence s = ti Q (ii 1*7^2 )• Then it immediately follows that 

ro = i"! {tiwt2) for some vi with ti ^f \vi ■ 
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For the induction step j = i + 1 < k, we assume that Vi = Vi Q {tizut2) for some 
Vi. Since =3>^f l^^i+i and is stable, we obtain f s l^i+i for some s. 

Clearly, the last rule applied in the inference Strip{TcLLT, Mcllt) ^ f j s is 

Vi ^ U Vi ^ U 

either 



V^ {tiZDt2) uAt2 ViQ {tlWt2) "-^^ (m A ^i) {tiZDt2) 

For the first alternative, we get s = u At2 and r^+i = q A w for some q and w 
such that u \q and i2 ^^.f \w . On the other hand, since Pi+i □ r^+i = qAw, 

by Lemma 3.11(1), we have Pi+i □ w. Further, it follows from t2 ^f \w that 

~RS 

Pi+i Qrs ^2, which, due to i < fc, contradicts the assumption < k{pj ^rs ^2)- 
Thus we can conclude that the last rule applied in the inference is the second 
alternative. Then it is clear that r.^^ = Vi+i (^107^2) for some Vi+i as the operator 
is static w.r.t the r-labelled transition relatior0. 

Returning now to the proof of the lemma, by the above claim, we may as- 
sume that rj, = t {tiVDt2) for some t. Since p kfc+i and is stable, we 
obtain rfc p s ^p \rk+i for some s. The last rule applied in the inference 
Strip{TcLLT, Mcllt) I" "-^^ s is 

. , r — ?> M t u 

either 



tQ{tiWt2) '^'uAt2 tQ){tlWt2) {u A ti) Q {tlZUt2) 

For the former, pk+i ^RS ^2 follows by the argument similar to that in the proof 
of the induction step in Claim 1. For the latter, we have s = (u Ati) Q {tiTut2), 
and Tk+i = {w A q) Q {tiwt2) for some w, q such that u ^p \w and ti 4>f \q- 
Moreover, by Lemma 5.1, it follows from Pk+i C rk+i = (w A q) Q {titut2) that 

~RS 

Pk+i ^ w A q. Then Pk+i C 9 by Lemma 3.11(1). Further, due to ti ^p \q, 

~RS ~RS 

we get Pk+i ^RS ti: as desired. □ 

In order to establish the converse of the above lemma, we need the following two 
results which concern themselves with inconsistency predicate. 

Lemma 5.3 If u ^ \ui, p \Z ui, p ^ F and p ^rs t then u At ^ F. 

~RS 

T 

Proof. Since p Qrs t, it follows from p ^ F and p 7^ that p □ ti for some 

^RS 

ti with t ^F \ti . Moreover, we have p \Z ui Ati due to p C ui and Lemma 

^ RS ^ RS 

3.11(2). Then m Ah ^ F because of p ^ F. Thus, by Lemma 3.6(2), it follows 
from u At ^ \ui Ati that u At ^ F. □ 

Lemma 5.4 Let p, ti and t2 be any process such that p c"^^ ti t ^2, and set 

{/ e I Act I Act I \ ^ 

, N =1 / P=>F Po =>F Pi ■■■ ^P \pi , \\ 

tQ(h^t2):3po,pi,...pi^ p,^^^t^nd^3j<lip,nRst2) ) j' 

Then is a F— hole. 

^That is, the structure that represents is preserved under r-transitions. 
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Proof. Let 1 {tiwt2) G ^ and 9 be any proof tree of Strip^TcLLT, Mqllt) I~ 
1 {t\vjt2)F. Hence there exist poiPi, ■■■Pn-, oiij 012, ■■■dn such that 

(a) p 4-F \po \Pi ■■■ \Pn , 

(b) Pn C t, and 

~RS 

(c) -'3j < n(pj t2). 

T 

Since p„ C t and Pn ^ -F, we get t ^ F. Moreover, it follows from t -/^ that 
the last rule applied in is 

t& {ti-cut2) w, IqF :tQ {tizut2) ^ q\ 

7^ 7-;; for some a G Act. (5.4.1) 

t © {tiWt2)F ^ ' 

Since p„ C i and p„ ^ F, we have I{pn) = I{t) = Ht © {ti^t2))- Hence a G 

I{Pn)- Moreover, by Lemma 3.5 and 3.8, it follows from Pn ^ F that p„ =>f \Pn+i 
for some Due to p„ C there exist sq, si such that 

i Af So 4>f |si and Pn+i C si- 

ThentQ{tiwt2) A soAf2 and f©(tira7t2) {soAti)Q{tiwt2) are two a-labelled 
transitions from t {tizut2)- Thus, by (5.4.1), we get 

So A i2 G F and (sq A ii) {tiwt2) G f . 

In particular, 3 contains a proper subtree with the root labelled with (sq A 
ti) {tiwt2)F. Clearly, to complete the proof, it is enough to show that either 
(so A t\) (^1117^2) G or any proof tree of (so A t\) {tiwt2)F must contain a 
proper subtree with the root labelled with uF for some u G fl. In the following, we 
intend to prove this. 

Since p 4-f |po =^f \pi ■■■ ^f \Pn =^f \Pn+i and p ii t ^2, we get 

either pn+i Eas h ov3i<n+ l{pi ^rs *2)- (5.4.2) 

On the other hand, by Lemma 5.3, it follows from sq 4>ir |si , Pn+i C si and 
So At2 € F that 

Pn+l %RS h- 

Further, due to (5.4.2) and (c) (i.e., < n{pj ^2)), we have 
Pn+i EflS ti and -.3i < n + l{pi ^rs 12). (5.4.3) 

r 

Since Pn+i 7^, Pn+i ^ F and Pn+i Qrs ti, there exists v such that Pn+i C v 

~RS 

and =>ir \v. Then, by Lemma 3.11(2) and 3.1(8), it follows from Pn+i C si 

~RS 

and sq =>ir |si that 

C Si A u and sq A =l> Isi A . (5.4.4) 

'^RS 
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If (so A ti) {tiwt2) is stable, then so are sq and ti. Thus sq = si and ti = v. 
Further, by (5.4.4) and (5.4.3), wc get (sq A ti) {tiwt2) € O, as desired. In the 
following, we deal with another case (sq A ti) (t\wt2) A. 

Due to (5.4.4) and Pn+i ^ F, we obtain si A v ^ F, moreover, by Lemma 3.6 
(2), it follows that sq Ati A v . Since sq Ah ^ F and (sq A ti) (fin7f2) 

the last rule applied in the proof tree of (sq A ti) {tiwt2)F is 

(so A ti) {tizut2) 4 w, (^f : (so A h) (iia7t2) ^ g| 

^ tf; ^- (5-4.5) 

{soAh)Q{hzut2)F ^ ' 

On the other hand, since sq A t\ 4>ir |si At;, there exists rj (1 < i < m) such 
that So A ti Ai? ri ••• ->f ''to |si A i). Thus 

{soAti)Q{tivjt2) A ri0(tiwt2).... ^ rm®{t\vjt2) ^ |(si Au) {t\-ujt2) . (5.4.6) 

For each i < m, due to rj ^ F, the last rule applied in any proof tree of 
r, {tiwt2)F has the format below 

ri {tiwt2) A w, |gF : n (tiwt2) ^ g| 

r, {timt2)F 

Then, by (5.4.6) and (5.4.5), it is obvious that any proof tree of (so A ti) 
{t\'ujt2)F must contain a proper subtree with the root labelled with (si A v) 
{tiwt2)F. Moreover, by (5.4.4) and (5.4.3), we also have (si Aw) {t\'ujt2) G as 
desired. □ 

We are now in a position to show the converse of Lemma 5.2. 
Lemma 5.5 If p ti f ^2 then p Qrs tiwt2- 

Proof. Let p \qo- The task is to find r such that qo d r and tizut2 4>ir |r . 

r 

If Qo EflS i2, then, due to g'o 7^ and 50 i F, we get go C v for some w 

with t2 =>F |t;- Moreover, by Lemma 3.1(6) and 3.6, it follows from t2 ^ F that 

tiwt2 — >F ^2 =5'F b-'. as desired. 

We now turn to another case go %RS ^2- Set R = Ro\ \ CL with 

{/ e I j4ct I Act I \ ^ 

{q,tQ{t,wt2)):3po,Pu...piy gc^^iand-3i<Z(p,C«si2) J /• 

The rest of the proof is based on the following claim. 

Claim 1 i? is a stable ready simulation relation. 

Clearly, it suffices to prove that each pair in i?o satisfies (RS1)-(RS4). Let 
{q,t {tiwt2)) G Rq. Thus there exist po,Pi, ■■■Pn, «!) 0,2, ■■■CLn such that 



(a) p 4>ir \Pq \P1 - °"^^F \Pn-l \Pn = Q , 

(b) PnC t, and 

~RS 

(c) ->3i < n{pi Qrs t2). 
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Then (RSI) immediately follows from (6), and (RS2) is guaranteed by Lemma 
3.9 and 5.4. By Lemma 3.2(5) and (&), it follows from pn ^ F that I{Pn) = I{t) = 
I{t {tiv!7t2)), and hence (RS4) holds. We next verify (RS3). 

Suppose q = pn \Pn+i- Then, due to (6), there exist w and u such that 
Pn+i C u and t -^F w \u- Moreover, it follows from (a), (c), p„ ^f \Pn+i 

and p ti 1 12 that 

either Qrs ti or pn+i Eijs t2 (5.5.1) 
The argument splits into two cases depending on whether it holds that Pn+i Eijs 

Case 1 pn+i Ei?s i2- 



Due to Pn+i 7^ and ^ -F. wo get Pn+i C w for some v with ^2 ^F Iv- 

ors' 

By Lemma 3.11(2), it follows from Pn+i C v and Pn+i C u that 



(5.5.2) 



On the other hand, by Lemma 3.2(5) and 3.1(8), we have 
t {tiwt2) w At2^ \uAv. 

Moreover, by Lemma 3.9 and 5.4, t {tiwt2) ^ F. By (5.5.2) and Pn+i ^ F, 
we also have u Av ^ F. Then, by Lemma 3.6 (2), it follows that 

tQ{tizut2) -^F w At2^F \uAv. (5.5.3) 

On account of (5.5.2) and (5.5.3), we have the diagram below, as desired. 

q = Pn Ro tQ {t\Wt2) 



F 
Pn+1 



a 



C u Av 

'^RS 



Case 2 p^+i %rs t2- 

T 

Hence Pn+i ^rs ti by (5.5.1). Then it follows from Pn+i 7^ and Pn+i ^ F 
that Pn+i 1^ V for some v with ti ^f \v ■ Moreover, by Lemma 3.11(2) and 
Pn+i C u, we have 

Pn+i C uAv. 

Further, due to i2 and -^3i < n{pi Qrs 12) (i.e., (c)), we get 

(p„+i, (m A w) © (tituts)) G i?o- (5.5.4) 

By Lemma 3.2(5) and 3.1(7)(8), it follows that 

tQ{tiVjt2) 4- {w Ati) © {tiwt2) ^\{uAv)Q {tiWt2). 

Moreover, by Lemma 3.9 and 5.4, t {tizut2) ^ F and {u Av) Q {tiwt2) ^ F. 
Then, by Lemma 3.6(2), we obtain 
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tQ{tizut2) ^F\iuAv)Q {tizut2). (5.5.5) 
According to (5.5.4) and (5.5.5), wc get the diagram below, as desired. 

q=Pn Ro i {tl'Ujt2) 



Pn+l Ro (W A W) {tiWt2) 

From the arguments apphed to two cases above, it may be concluded that 
{q,tQ {tizut2)) satisfies (RS3). Therefore, the binary relation R is indeed a sta- 
ble ready simulation relation. 

We now return to the proof of the lemma itself. Since p ti t ^2 and 
P l^o, it follows from qo %rs t2 that go Eijs ti- Then qo n u for some u 

^RS 

with t\ 4>ir |u. Thus {qQ,uQ) (titx'f2)) & Rq- By Claim 1, this clearly forces 

go C w {tiwt2)- (5.5.6) 

^RS 

On the other hand, by Lemma 3.1 (6) and (7), it holds that 
tiwt2 ti {f\wt2) 4> |u {t\Wt2) ■ 

Moreover, it follows from qo ^ F and (5.5.6) that u {t\vot2) ^ F. Hence, by 
Lemma 3.6(2), we have 

tiWt2 4>F \u {tiWt2) . (5.5.7) 

Consequently, by (5.5.6) and (5.5.7), the process u {tiwt2) is indeed the one 
that we seek. □ 

Now the main theorem of this section is stated below, which, together with 
Theorem 5.1, gives a bridge from CLLT to the action-based CTL that will be 
considered in Section 8. 

Theorem 5.1 For any process p, ti and t2, p Qrs t\wt2 iff p E^g ti 1 12- 

Proof. Immediately follows from Lemma 5.2 and 5.5. □ 

Let us mention two important consequences of the above theorem: 

Corollary 5.1 Suppose p Qrs tiwt2 and p =>f \po =^f \pi ■■■ f \Pk- If 

-.3i < k{pi Cfls t2) then pk E^s tiwt2- 

Proof. Straightforward. □ 

Corollary 5.2 (Monotonicity Law of zu) If ti ^rs si and t2 ^rs S2 then 
tivjt2 ^Rs S-IWS2- Hence ^rs is a precongruence w.r.t the operator w. 
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Proof. Since Qrs is reflexive, it is enough to prove that, for any p, p Qrs 
tiwt2 implies p Qrs situS2- This immediately follows from Theorem 5.1 and the 
transitivity of ^rs- O 

The remainder of this section will be devoted to the proof of that Qrs is also 
precongruent w.r.t the operator 0. To this end, the following preliminary result 
concerning inconsistency predicate is needed. 

Lemma 5.6 The set fl given below is a i^— hole. 

^ f , , _, f uiC u,PiQrs P,qiQRS q and \\ 

n= iuQ{pwq) :3ui,pi,qi\ -flS V. 

Proof. Suppose ti {piwqi) G fl. That is, there exist t2, P2 and q2 such that 
t2 C ti,p2 Ei?s Pi, 92 Qrs qi and t2 {P2^q2) ^ F. 

Let 3 be any proof tree of Strip{rcLLT, Mcllt) I~ ii {piwqi)F. Since 1,2 
{p2^q2) ^ F. t2 ^ F hy Lemma 3.3(6). Then, due to t2 C ^i, we also get ti ^ F. 

~RS 

T 

Moreover, by Lemma 3.1(7), ti {piwqi) is stable because of ti ^A. Thus the last 
rule applied in S is 

ti {piwqi) Aw, IrF -.tiQ {piwqi) A r| 

7 — — for some a G Act. (5.6.1) 

ti {piwqi)F 

Then a <E I{ti) by Lemma 3.2(5). Since t2 □ ti and t2 ^ F, we get I{ti) = 

~RS 

1(^2) = -^(^2 ip2'!^q2)) by Lemma 3.2(5). Hence a G 1(^2 © {P2'coq2))- Moreover, 
by Lemma 3.5, it follows from t2 (P2^^92) ^ -P' that t2 © (P2^^92) Ajr s for some s. 
The remaining proof depends on the claim below, which yields information about 
the format of s. 

Claim 1 s = (si AP2) © {P2'^q2) for some s\ with t2 Af s\. 

Since f2 © (p2^^92) Af s, by Lemma 3.2(5) and 3.3(4)(6), there exists si such 
that t2 Af Si and 

either s = (si AP2) (P2^^'!'2) ov s = S\ A 52- 

Thus it is enough to show that S\f\q2. Conversely, suppose that s = s\Aq2. 

Due to Si A 92 ^ F, by Lemma 3.1(8) and 3.8, si A 92 |-S2 A 53 for some 52,93 
with si 4'F |s2 and 92 =>F l^s • Since f2 IZ ti and t2 Af si =i>F |s2 , S2 C m for 

some u, V with — >f f =^f |w. Moreover, it follows from q2 ^rs qi and q2 \q3 
that qs \Z qi for some q^ with qi 4>f \qi- Hence S2 A 53 C m A 54 by Lemma 

~RS ^RS 

3.11(1)(2). Then w A 54 ^ -F because of S2 A 93 ^ F. Further, by Lemma 3.6(2), it 

follows from v t\qi => \u A q^ that vAqi ^ F. However, due to ti © [pizuqi) A vAqi 
and (5.6.1), we have v Aqi G F. Thus a contradiction arises, as desired. 

Now we return to the proof of the lemma. Since s = (si Ap2) © {p2'^q2) ^ F, 
by Lemma 3.8 and 3.1(7)(8), (si AP2) © {p2'^q2) =>f \{sz Aps) © (p2^92) for some 
S3,p3 such that si =>f 1*3 and P2 =>f |P3 • Moreover, it follows from t2 □ ii 

~RS 

and ^2 — ^F si =^F |s3 that S3 IZ ui for some mi, i;i with ti -^p vi =^f \ui. 

'^RS 
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Due to p2 Qrs Pi and p2 \P3, we also have P3 C Pi for some pi with 

~RS 

Pi =^F \P4- Then S3 Aps C ui Ap4 by Lemma 3.11(1)(2). Combining this with 

'^RS 

(s3 A ps) (^2^792) ^ -F, we get 

(wi A P4) (piwgi) e O. 

Clearly, in order to complete the proof, it suffices to prove that 9 contains a 
proper subtree with the root labelled with {m Ap4) {piwqi)F. Since ti vi, 

we have ti {piwqi) A {vi Api) (pitijgi). Thus, by (5.6.1), 9 contains a proper 
subtree with the root labelled with {vi Api) {pizuqi)F. If vi Ap\ is stable then 9 
contains a node labelled with {u\ Api) {p\wq\)F because of {v\ Ap\) {p\wq\) = 
{u\ Api) (pin7(7i), as desired. We next manage another case vi Api 

Since vi Api => \ui A p4 , S3 Ap3 C ui Ap4 and S3 Aps ^ F, we get vi Api 

~RS 

\ui Api by Lemma 3.6(2). Hence there exist ri,r2...rm {m > 1) such that 

vi Api -^F ri r2 ••• -^f rm -^f \ui Api. (5.6.3) 

By Lemma 3.1(7), we also have 

{viApi)Q{piwqi) A riQ{pizuqi)... A rmOiPi'^qi) ^ |(wi AP4) (piwq'i) (5.6.4) 

Then, by (5.6.3), the last rule applied in any proof tree of w {pxwqijF with 
w G {v\ Api, ri : 1 <i < m} must be of the format below 

(pi-cuqi) A u, ^rF : w {pivaqi) A r| 
t« (pitn(jfi)F 

Consequently, by (5.6.4), it is immediate that 3 contains a proper subtree with 
the root labelled with (ui Ap4) {piwqi)F, as desired. □ 

Having disposed of this preliminary step, we can now establish the monotonicity 
laws of the operator 0, which will be useful in the sequel. 

Theorem 5.2 For any process Ui,ri and Si (1 < i < 2), we have 

(1) Ifu2C ui, r2 Eijs S2 Eijs si then U2 (r2ti7S2) C ui & {n-ajsi). 

(2) If U2 Qrs Ui, r2 Qrs n, S2 Qrs si then U2 (r2ti7S2) Qrs ui © {nzusi). 

Proof. Clearly, (2) immediately follows from (1). In the following, we shall prove 
(1). Put 

R= <{t2Q{p2'^q2),tiQ{piwqi)) ■.t2lZ ti,p2 ^rs Pi,q2 ^rs qi>[j ^ ■ 

{ ~JJS J '^RS 

We wish to demonstrate; that i? is a stable ready simulation. Suppose that 
t2 C ii, P2 Qrs Pi and q2 ^rs qi- By Lemma 3.1(7), 3.9, 5.6 and 3.2(5), it is 

~RS 

easy to verify that the pair {t2 (p2^q2), ii {pi^qi)) satisfies (RSI), (RS2) and 
(RS4). It remains to prove that such pair satisfies (RS3). Suppose t2 {p2^q2) ^f 
\u. It is enough to find s such that 



w 



ti (piiu^i) \s and {u, s) G R. 
Since t2 {j>2'^q2) ^ -F, by Lemma 3.9 and 5.6, we have 
h {pivjqt) i F. (5.2.1) 
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Moreover, due to t2 (^2^752) 7^ , ^2 {p2'^q2) —>f v 4>f \u for some v. 
The argument splits into two cases based on the last rule applied in the inference 
Strip{TcLLT,McLLT) i~ ^2 (P2W92) A V. Clearly, the last rule is 

t2 ^ .S S 

either or . 

t2 {jp2^q2) -J- S A 52 t2Q {jp2^q2) (s A P2) {P2'cuq2) 

These two cases may be handled in a similar way. Here we consider only the 
second alternative. In such situation, we get v = {s AP2) {P2^q2) with t2 -^f s, 
and u = (si Ap^) (^2^92) for some Si and p^ with s 4>ir |si and P2 =^f Ips- 
Then it follows from t2 C ti and P2 Eijs Pi that there exist t3,t4 and P4 such 

that ti -%F ta ^F \t4 , Pi =>F \P4 , si \Z ti and ps C ^4. Thus 

ti (piwqi) A (hApi) (pitufji) 4> |(t4 Ap4) (Piwgi). (5.2.2) 
By Lemma 3.11, we also have siApa C t^Api. Hence (w, (^4 A pi) (pirogi)) S 

~RS 

R. Moreover, by Lemma 3.9 and 5.6, it follows from u = (si Aps) {p2'cuq2) ^ F 
that {ti A Pi) © (pirogi) ^ F. Then ti (pitugi) =§>f |(t4 Ap4) © (pirogi) due to 
(5.2.1), (5.2.2) and Lemma 3.6(2). Therefore, the process (ti Api) © (p-izuqi) is 
exactly one that we seek. □ 

Hitherto we have showed that 'Qrs is precongrucnt w.r.t the operators tu, jj, © 
and A. For the remainder operators (i.e., operators in CLL), such property has 
been established in [60]. Consequently, ^rs is precongruent w.r.t all operators 
involved in CLLT. 



6 Fixed-point characterization of the operator w 

From now on wc make the assumption: the sot Act is finite. The motivation be- 
hind this assumption will be given in Remark 6.1. This section is devoted to a 
few further properties of the operator vo including fixed point characterization and 
approximation. These properties will serve as a stepping stone in giving a graphical 
representation of the temporal operator unless in a recursive manner. We begin 
with introducing some preliminary notions. 

Definition 6.1 Given a finite sequence of processes < tQ,t\, . . . ,tn-i > with 
n > 0, the generalized disjunction y ti is defined inductively as 

i<n 

(1) \/ ti = to, 

(2) V *i = (V ti)Vtk for k>l. 

i<k+l i<k 

Moreover, for any nonempty subset S C {fo, . . . , tn-i}, the generalized disjunc- 
tion \/ S is defined as V t^, where the sequence < t^, . . . ,1,,^,^ > is the restriction 

'i<|S| 

of < • • • ,tn-i > to S. Similar to generalized external choice, modulo =ijs, the 
order and grouping of processes in Y 5 may be ignored due to the commutative and 
associative laws [43, 60]. 

Analogously, the notion of a generalized conjunction /\S is defined in the same 

manner, and the order and grouping of processes in /\ 5* may also be ignored by 
the same reason. It should be pointed out that such generalized conjunction /\ S 
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preserves usual logic laws of the connective conjunction only if S is finite (see, 
Remark 6.1). For the sake of simplicity we also introduce the notions below. 

Definition 6.2 Given any process p and t, Sp^t is a function assigning to each 
visible action a process, which is given by 



for any a G Act, 5p^t{o-) 



□ p.true \i I{p) 

/36-f(p) 

□ b.true ) Oa.t otherwise 

bel(p)-{a} 



Given an action a G Act, the auxiliary operator \a\ is introduced below. This 
operator will be used to explore the fixed point characterization of zu. Moreover, 
itself is also of logic meaning, that is, it captures the modal operator ^^along a — 
labelled transitions, it is necessary that . . ." in a sense. 

Definition 6.3 For any a G Act, the operator [a] over processes is defined by 



\a']=\X.l V ( □ b.true)Da.X V V ( □ b.true) . 

\aeACAct V beA-{a} ) j \a((,A(lAct j 

By the way, since [a] p A \j ( □ b.true) ^ F , it is easy to see that 

a^A'ZAct ^<^^ 

\a\'p ^ F for any a and p. A simple but useful result is given below. 

T 

Lemma 6.1 p □ □ a.true whenever p -f^. 

^R.SaeI{p) 



Proof. Put 

R=<{q, 



□ a.true) : g >EI- 

aeliq) I J 



We only need to show that i? is a stable ready simulation relation, which is 
routine and is left to the reader. □ 

In the following, we shall give some basic properties of the operator \a \ . The 
theorem below characterizes processes that refine ones with the format [a] t. 

Theorem 6.1 p S^rs \a\ t iff Vpo,Pi [P \pq =>f \pi implies pi ^rs t 



Proof. (Left implies Right) Assume that p \po \pi- Then it follows 
fromp [a] t that there exists r such that po □ r and \a]t \r . Moreover, 

^RS 

since a £ I{pa) — we get r = t(a). On the other hand, due to po \Z r 

~RS 

and po =^-F \pi , we have pi \Z q for some q with r = dp„ f(a) \q. Further, by 

~RS 

T a 

Lemma 3.1 (8) and 3.2(1), since Sp^ t{a) -f^ and ( □ b.true) we obtain 
a.t ^p \q. Hence t ^p \q. Then pi ^rs t follows from pi □ q, as desired. 

~RS 

(Right implies Left) Let p ^p \po. It suffices to prove that po n q for 

^RS 

some q with \a~\t ^p \q. If a ^ I{pq), then [a~\t ^p \ □ b.true, and po 

beiipo) 



'Notice that, if /(g) = then □ a.true is defined as 0, see Def. 3.2. 
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C □ b.true due to Lemma 6.1. In the following, we consider another case 
a e I{po). 

In such situation, by Lemma 3.5 and 3.8, it follows from pq ^ F that there exists 
Pi such that p \po =5>f \pi- Hence pi ^ns t. Then t ^ F because of pi ^ F. 
Further, by Lemma 3.3 (2)(3)(7), it follows that (5p„,t(a) ^ F. Thus, by Def. 6.3 
and Lemma 3.6(2), we obtain \a]t |(5p„.t(a). Clearly, in order to complete the 
proof, it is enough to show that po □ 5p^ t{ci)- To do this, we intend to prove 

~RS 

that R given below is a stable ready simulation relation. 

^ = {(Po,^po,t(«))}U C . 

It is straightforward to verify that R satisfies (RSI), (RS2) and (RS4). For 

(RS3), suppose po \pi- li c a, we have pi d □ b.true by Lemma 

~flS6e/(pi) 

6.1, and (5j,o,t((i) -^f true ^f □ b.true. If c = a, then 5p„^t{o) -^f t, and 

beiipi) 

it follows from pi Qrs t and pi 4>ir \pi that pi C ti for some ti with t 4>f 

~RS 

\ti . Summarizing, we can conclude that there exists r such that pi C r and 

'^RS 

^Po,t{^) \r. Hence (RS3) holds, as desired. □ 

Corollary 6.1 (Monotonicity Law of \a]) If t ^rs s then \a] t C^s \a] s for 
each a G Act. Hence Qns is a precongruence w.r.t the operator \a] . 

Proof. Analogous to that of Corollary 5.2, but using Theorem 6.1 instead of 
Theorem 5.1. □ 

Now we are ready to discuss the fixed-point characterization of zu. For this 
purpose, a series of functions ijp^q is introduced below. 

Definition 6.4 For any process p and q, the function rjp^q over processes is 
defined by 

Vp,q = Ajf. gV (pA ( A 

V \aeAct 

Obviously, as all operators involved in ijp^q are monotonic w.r.t ^rs, the function 
Vp.q itself is also monotonic. In the following, we intend to show that pzuq is the 
largest fixed point of rjp^q. We begin with arguing that pwq is a post-fixed point of 

Vp,q- 

Lemma 6.2 For any process p and q, pwq Qns Vp,q {P'^q)- 

Proof. If pwq e F then it holds trivially. In the following, we consider the 
nontrivial case pwq ^ F. For simplicity of notation, we shall omit the subscript in 
rjp^q. Clearly, it is enough to show that, for any process f , 

V EflS P^q implies v Qrs V (pwq). 

Assume that t is any process such that t C^s pwq. Let t =>f \ta ■ We want to 
find s such that rjipwq) 4>f Is and to IZ s. It proceeds by distinguishing two 

'^RS 

cases below. 
Case 1 to Qrs q. 
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Thus to C g'o for some qo with q 4>ir I go- Easily, ri(pwq) g 4> I go- Then, 

by go ^ and Lemma 3.6 (1)(2), it follows that r] {pwq) -^p Q =>f \qo - Hence go 
is indeed the one that we seek. 

Case 2 to %rs g- 

In this case, by Theorem 5.1, it follows from t Qrs pwq and f 4>f \to that 
to Qrs P- Then to C po for some po with p \po- The claim below is needed 
to complete the proof. 

Claim 1 \a] pwq 4>ir | Stg prog(o) and to □ Stg prog(a) for each a € Act. 

For any a G Act, due to pwq ^ -F, it is easy to see that Sto,pwq{ci) ^ F- Further, 
by Lemma 3.6 and Def. 6.3, it follows that \a\ pwq \ <^to,prog(<i)- We next prove 
that to C Sto pt37g(a)- By Lemma 6.1, this is immediate whenever a ^ I{to)- In 

the following, we consider the case a e I (to)- Put 

R= {{to,Sto,pu7q{a))}[j c: 

^RS 

We want to show that i? is a stable ready simulation relation. Since it can be 
checked without any difficulty that the pair (to) ^to,prog(^)) satisfies (RSI), (RS2) 
and (RS4), we put attention to verify that such pair satisfies (RS3). 

Assume to =^f l^i • Then b £ I{to) because of to 7^- If 6 7^ a then dtg^pi^^q (a) -^F 



true -^F 



□ c.true, and ti C □ c.true by Lemma 6.1, as desired. We 
ce/(ti) '^RScei{ti) 



next handle another case a = b. In such situation, we get ^t^, prog (a) -^f pwq. 
If ti Qrs Q then ti C gi for some gi with Stg pi^jqia) \f pwq ^f Q =§'f | 

~RS 

gi- If ti %Rs g then, by Corollary 5.1, it follows from to %RS 1, t EflS Pwq and 
t =^F \to =^F |ti that ti pwq, moreover, due to ti | ti, we have ti C v 

'^RS 

for some v with 6to^pzaq{ci) -^f pwq 4>f | v, as desired. 

Now we return to the proof of the lemma. From Claim 1 and to C po, by 

'^RS 

Lemma 3.11(2), it follows that 

*o C Po A A ^to,pwq{^) 1 ■ (6.2.1) 
'^RS \aeAct J 

Moreover, it is obvious that 

^ {pwq) ^ I :Po A ( A h^,p^q{a)\ ■ (6.2.2) 
Further, by Lemma 3.6(2), it follows from to ^ F, (6.2.1) and (6.2.2) that 

T] {pwq) 4>F I Po A ( A K,pz^q{0') ) ■ 
\aeAct J 

Hence the process Po A I A <^to,prog(a) ) is exactly one that we seek. □ 

Wc arc almost ready now to establish the fixed point characterization of the 
operator w. The following lemma is instrumental in doing this. 



40 



Lemma 6.3 For any A; < w, if t Qrs Vp^^i^), t 4>f I^o =^f l^i ••• =^f \tk and 

-Bi < k{ti Qrs q) then tk CI wAl /\ Sn, «(a) ) for some w with p \w, and 
hence tk Qrs P- 

Proof. Prove it by induction on k. For the induction basis A; = 0, since t \^rs 
Vp q{u), we get to n r for some r with ripq{u) \r. Then it immediately follows 

~RS 

from to %Rs q that 

\aeAct / 

Thus r = w A s for some w and s with p 4>ir |t« and A [a] m 4>f |s • Due to 

a^Act 

T 

w A s ^ F and w A s t^-, we get I{w) = I{s). Further, by Def. 6.3, it is easy to see 
that s = A ^w,u{0'), as desired. 

aeAct 

For the induction step k = n + 1, since t Qrs ??p,q^(w) = ?7p,9^('7p,g(w)), by IH, 
there exists w such that p 4>ir |w and 



'^RS 



A '5«;,^,„(n)(«)V (6.3.1) 
\aeAct J 



Since f„ |in+i and 7^, we have a„+i G I{tn)- Then a„+i G -f(w') 

because of tn ^ F and (6.3.1). Hence 

<5t«,77p,5(«)(an+i) = ( □ b.true)Dan+i.'rip,q{'^)- 

bel(w)-{an+i} 

By (6.3.1) and t„ "^^jr , we get tn+i C r for some r with 



w^i A '5t<;,^p,,(«)(a) 



=4- F \r. 



Further, due to commutative and associative laws of A, it is not difficult to see 
that r ^Rs w A s for some v and s with (5„ ^(„)(o„+i) Vp,q{u) |s . 

Moreover, it follows from tn+i C r and t/j = f„+i 2flS 9 that 



r?p,g(u) P A ( A \a]u]^F\s 

\aeAct J 



Then, analogous to the induction basis, we have s = s\ A si for some s\ and si 

withp 4>ir \s\ and S2 = A '^si «(£*)• Hence C r «i{5 vAs C s = si As2, 
aeAct ' ~RS ^RS 

as desired. □ 

We are thus led to the following strengthening of Lemma 6.2. 

Lemma 6.4 For any process p and g, pwq is the greatest (w.r.t Eijs) post-fixed 
point of ?7p,g. 
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Proof. By Lemma 6.2, we are left with the task of determining that jnuq is 

greatest among post-fixed points of rjp g. Let t Qrs Vp-gi^)- We intend to prove 
that t Qhs P'ojq. Assume that t \to =^f \ti ■■■ =^f \tk with A; > and 

-■3i < k{ti Cjj5 q). By Theorem 5.1, it suffices to show that tk Eas P- Since 
t Cfls Vp.qit) and rip^q is monotonic w.r.t we get t Cjjg r]p^^{t). Then tk 

Qrs P immediately follows from Lemma 6.3. □ 

The next theorem constitutes one of the two main theorems of this section. 

Theorem 6.2 (Fixed-point characterization of zu) For any process p and q, 
pvjq is the greatest (w.r.t Qrs) fixed point of r]p^q. 

Proof. By Lemma 6.4 and 6.2, we only need to show that rjp^q {pwq) "Qrs pzuq. 
It follows from pwq Qrs 'np,q {P'^q) that r/p,g (pwg) Qns np,q {rip,q ip^l))- Then, by 
Lemma 6.4, we have rjp^q {pwq) ^rs P'ccjq, as desired. □ 

It is well known that, for any continuous function $ over a complete lattice with 
the top element T, its greatest fixed-point is exactly the largest lower bound of 
the decreasing sequence {^*(T)} .^^ (i.e., uZ.^ = Fl $'(T)) (see for instance [21]). 

The next theorem gives an analogous result for pwq. 

Theorem 6.3 (Approximation of w) For any process p and q, pwq is the 
greatest lower bound of the decreasing (w.r.t Qrs) sequence {r]p q{true)}.^^. 

Proof. Since pzuq ^rs true, by Lemma 6.2, it is obvious that pwq is a lower 
bound of {^p,9(^^we)} .g^. Let t be any lower bound of {Vp,q{t'''ue)} We intend 

to show t Qrs pwq. Assume that t 4>ir \to =^f \ti ... \tk with A; > and 

< k{ti ^Rs q). Clearly, we have t ^rs 'f]p^^{true). Then t^ C^g p due to 
Lemma 6.3. Consequently, t \=rs pwq follows from Theorem 5.1. □ 

Remark 6.1 It has been established in [43, 60] (see also Lemma 3.11 in this 
paper) that, for any process q, pi and p2, (?) Pi A p2 \=rs Pi (* = 1)2) and (ii) 
if Q Ei?s Pi and q ^rs P2 then q ^rs pi Ap2. That is, pi A P2 is the largest 
lower boimd of {pi,p2} w.r.t Qrs- Inspired by this, someone may try to introduce 
the notion of generalized conjunction in a natural way to express the largest lower 
bound of {??p,g(*''^e)}j£(^ by the term /\ r]p^^{true). The rule below is one of po- 

tential candidate rules that generalize the rules (Ra-7) and (Ra-8) to the generalized 
conjunction. 

^ * with kel. (GC) 



^p^^^t 

i£l iel 

Here / is an arbitrary indexed set, and for i G I, ii i ^ k then ti = pi else 
ti = t. Unfortunately, it would be an unsuccessful attempt if the rule (GC) is 

adopted as the only rule concerning r-transition for such generalized conjunction. 
By this rule, /\ ifp q{true) can not arrive at any stable state within finitely many 

T-transitions. Thus /\ ^ (trwe) is inconsistent and f\ rj^ ^{true) =rs-L. In fact, 

the conjunction A in the framework of LLTS can not be generalized in the above 
manner to capture the generalized conjunction in usual logics. For instance, by 
(GC), it is easy to see that the (generalized) idempotent law /\ p =rs p does not 
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always hold, e.g., consider pi = a.O V 6.0 with i € uj, then we have /\ Pi € F but 
a.O V 6.0 ^ F, and hence /\ pi ^rs oi-O V 6.0. By the way, since the definition of 
the function rjp^g refers to the term /\ [a] X, we assume that Act is finite in this 

aeAct 

and the next two sections. 

Analogous to [44] , some basic laws concerning jj and \a] are listed below, which 
reveals that a few of standard temporal laws hold in CLLT. 

Corollary 6.2 For any process p and q, we have 

(1) \a] true —rs true =rs V I □ a.true 

ACAct \aeA 

(2) [a] (p A q) =rs [a] pA\a]q 

(3) A q) =Rs Hp a 

(4) ftp =RS pro _L 



(5) =ijs P A A [«! Bp 

(6) true A p =rs p A true =rs p 

Proof. (1) Obvious. (2) is implied by Lemma 3.11(3) and (4), Theorem 6.1 and 
Corollary 6.1. (3) follows from Lemma 3.11(3) and (4), Theorem 4.1 and Corollary 
4.1. (4) It is enough to show that t Qrs ftP iff t E-RS P'^ -L for ^ny t, which is 
implied by Theorem 4.1 and 5.1. (5) follows from the item (4) in this lemma and 
Theorem 6.2. (6) is implied by p ^rs true and Lemma 3.11(3)(4). □ 

As an easy consequence, we also obtain the following fixed point characterization 
and approximation of (J. 

Corollary 6.3 (Fixed-point characterization of ji) 

(1) Hp =Rs Vp,± dp)- 

(2) ftp is the greatest (post-)fixed point of ??p,_L. 

(3) tip is the greatest lower bound of the decreasing sequence {rjl, ± {true) \ 

Proof. Follows from Theorem 6.2 and 6.3 and Corollary 6.2 (4). □ 

We conclude this section with providing some sound inference rules concerning 
w w.r.t Ers- As an immediate consequence of Lemma 6.4 and Theorem 6.3, it 
is obvious that the rules below are sound provided that < is interpreted as Qrs- 
Moreover, by Corollary 6.3, similar rules also exist for jjp. 

t < VpAt) .gpp) yi<cj{t<rj;^^{true)) 
t < pwq t < pwq 

Clearly, since the premise in (APP) may be proved by induction on natural 
numbers, we also have the rule below. Notice that, since it always holds that 
t EflS true = r]p g{true), the premise t < r]p g{true) in (IN APP) may be omitted. 

t < Vp,g{true), Vi < ujjt < vlJtrue) ^ t < r];+^{true)) .jj^^pp. 
t < pwq 
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7 Graphically representing unless by recursion 



In the light of the greatest fixed-point characterization of vj, this section will con- 
sider an alternative approach to giving a graphical representation of the temporal 
operator unless in pure process-algebraic style. Following Milner [45], for any pro- 
cess p and q, we introduce the constant pwq, which is defined by the equation 
below 

Formally, two rules below are added into CLLT, which are usual rules about 
recursion. 

a 

pwq ^ t P^l^ 

The resulting calculus is denoted by CLLT^,. CLLT,, inherits the notion of the 
degree of a process (see, Def. 3.3) with adding the clause \pnjq\ = 1 for each p and 
q. Then it is easy to check that the function is a stratification of CLLT,, , where 

is defined by 

• S^{t A- r) = G{t) X w -f |t| for any literal t ^ r, and 

• [tF) = w X 2 for any process t. 

Here G{t) is the number of unguarded occurrences of constants with the format 
rWs in t. For instance, G{pwqDru:!t) = 2 and G{pwq V rwt) = o[^. Obviously, the 
function G can be defined inductively, and we leave it to the reader. 

Therefore CLLT,, has a unique stable transition model, and the LTS associated 
with CLLT,,, denoted by LTS{GLLTri), may be defined as usual. Moreover, all 
results obtained in Subsection 3.3 still hold for LTS{GLLTri) and will be used in 
the remainder of this section. Here we do not verify them in full detail and only 
illustrate that LTS{CLLTjj) is a LLTS. To this end, the notion of r— degree (see, 
Def. 3.6) is enriched by adding the clause below, for any process p and q, 

d{pwq) = max{(i(q), d{p/\ /\ \a \ pwq)} + 1. 

a£Act 

Clearly, r is the only action enabled from pwq and the target state of such 
T-transition is either q or pA f\ \a \ pwq. Thus the above clause also appropri- 

a^Act 

ately measures pwq 's capability of executing successive r actions. Moreover, since 
d{a.pwq) — for each a G Act (see also, Def. 3.6), the definition above is well 
defined. 

By (Ra,,) and Def. 6.4, it is obvious that Lemma 3.7 still holds for pwq. 
Then, analogous to Lemma 3.8, we can prove that the condition (LTS2) holds 
for LTS{GLLT,^). Moreover, by (Ra,,) and (Rp,,), it can be showed without 
any difficulty that LTS{CLLT,^) is t— pure and satisfies (LTSl). Summarizing, 
LTS{CLLT,^) is a r-pure LLTS. 

As mentioned above, this section aims to capture the temporal operator unless 
in the recursive manner. Thus we need to show an analogue of Theorem 5.1 for any 
constant pwq. We do not intend to prove such result from scratch. The remaining 
work will attend to proving that pwq is equivalent to pwq modulo =rs, which 
implies one that we desire. 



^Notice that, since the 'first move' of r V s is independent of r and s, the occurrence of r and 
s are (weakly) guarded in r V s. 
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Although the equivalence between pwq and pwq seems straightforward, its proof 
is far from trivial and requires a solid effort. In fact, if we neglect the requirement 
on the consistency in the notion of ready simulation (see, Def. 2.2), it is trivial to 
show that pwq and pwq are matching on actions. However, everything becomes 
quite troublesome when the predicate F is involved. The main difficulty in carrying 
out such proof is that we need to prove that pwq S F implies pwq G F. This 
requires a sequence of auxiliary propositions about proof trees. Before giving these 
propositions, we introduce the notion below. 

Definition 7.1 Given processes pi with i < n, a. process u is said to be a 

conjunction of these pi if each pi occurs in u and u is obtained from these pi by 
using only the operator A in arbitrary order and grouping. Similarly, we can define 
the analogous notion for disjunction. 

Lemma 7.1 Given processes Pi and p* such that Pi =>f Pi with i < n, and let p 
be a conjunction of these Pi. If S is a proof tree of pF then there exists a nonempty 
set K C {0, 1,2 - • - n} such that S contains a subtree with the root labelled with 
wF, in particular, such subtree is proper provided that pi^ A=l> for some io < n, 
where w is a conjunction of p* with i G K. 



Proof. The proof will be done by induction on the depth of the inference by 
which pF is inferred. We denote /pi ■ ■ ■ Pn /Pn] briefly by p*. Then p (-^)™ 
p* for some m. If m = then the conclusion holds trivially due to p* = p. Next 
we consider the case m > 0. Then p ^ s (^►)™^^ p* for some s. Moreover, since 
Pi ^ F for each i and p £ F, we get n > 0. Hence p = wi Aw2 for some wi and W2- 
Thus the last rule applied in 9 is 

WiF P^u, UF-.p^tl 

either with i € {1, 2} or 5^— -. 

pF pF 

For the first alternative, w.l.o.g, we assume i = 1. Then 3 contains a proper 
subtree with the root labelled with wiF. Clearly, there exists a nonempty set 
N C {0, 1, 2 • • • n} such that wi is a conjunction of pi with i G N. Thus, by IH, 
it follows that there exists a nonempty set K C N C {0, l,2---n} such that 
contains a node labelled with wF, where w is a conjunction of all p* with i G K. 

For the second alternative, since p A, there exists k < n and such that 
Pk -^F Pk Pk- Then 9 contains a proper subtree S>i with the root labelled with 
sF , where s is a conjunction of pj, and pi with k ^ i < n. Further, by IH, it follows 
that there exists a nonempty set K C {0, 1,2 ■ • - n} such that S5i contains a node 
labelled with wF for some conjunction w of all p* with i G K. □ 

Lemma 7.2 For any nonempty A C Act and processes r and t, let p be any 
conjunction of ^r,t(«) with a € A, then each proof tree of pF must contain a proper 
subtree with the root labelled with uF, where u = t or m is a conjunction of t and 
true. 



Proof. Prove it by induction on the depth of inference. Let 3 be any proof tree 
of pF. Since Act is finite, so is A. If \A\ = 1 then p = 6r,t{a) for some a. Hence 
it follows from 5rt{a) € F that a G /(r) and ^rt(«) = ( □ b.true)Da.t. 

bel{r)-{a} 

Moreover, since □ b.true ^ F, it is easy to see that S contains a proper 

6e/(r)-{a} 

subtree with the root labelled with tF. In the following, we consider the case where 
1^1 > 1. In such situation, p =pi Ap2 for some pi, P2- Since I{pi) = I{p2) = lir), 
the last rule applied in 9 is 
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p p-^s, iwF:p^w'> 

either with fc € {1. 2} or — for some a. 

pF ' pF 

The proof for the first case is immediate by applying IH. For the second one, 
we must have a ^ t, for otherwise it immediately follows that {r} = I{r) and 
p —Rs true ^ F, a contradiction. Moreover, we also have a € A, for otherwise a 
contradiction arises as p — >■ p =rs true ^ F for some p . Then it follows from 
(5r,t(a) A- 1 and Sr,t{b) true with 6(7^ a) A that the only a— labelled transition 
from p is p ^ u = p[t /6r,t{ct), true/ i5r,t(fei), • • • , true/6r,t{bn)] with {61, ••• , 
bn} = A — {a}. Clearly, u is a conjunction of t and a number of true, and 9 
contains a proper subtree with the root labelled with uF. □ 

By the lemma above, it is obvious that /\ (5,.^((a) G F implies t ^ F. In fact, the 

aeA 

converse also holds if I {r) DA ^ 0. The result below is analogous to the well-known 
fact that the sentence /\ {\/ is inconsistent in classical logics if and only if, for 

any set {Pojo: Piji ' ' ' Pnjn} with ji < rrii for each i < n, there exists a nonempty 
set C {0, 1, • • • n} such that /\ /3kjf. is inconsistent. 

keN 

Lemma 7.3 Assume that p is a conjunction of pi with < z < n and for any 
i < n, there exist pij with j < such that pi is a disjunction of Pij'j^. Then, 
for any proof tree 3 of pF and n + 1— tuple ptkl such that Vi < n{ki < rui), there 
exists a nonempty set K C {0, 1, 2 • • • n} such that 3 contains a subtree with the 
root labelled with wF for some conjunction w of p^fe. with i € if, in particular, such 
subtree is proper whenever 3i < n{mi > 0). 

Proof. Proceeding by induction on the depth of 9. Suppose that pik^ is any 
n + 1— tuple such that Vi < n{ki < rrii). If = for each i < n then there exists 
exactly one such n + 1— tuple and p is a conjunction of pikl . Hence the conclusion 
holds trivially. In the following, we consider the case where Eli < n{mi > 0). 

If n = then p = po, and hence p is a disjunction of poj with j < mo. Moreover, 
due to mo > 0, it is obvious that 3 contains a proper subtree with the root labelled 
with pQkgF. We next consider the case where n > 0. In such situation, we may 
assume that p = wi A W2 for some wi and W2- Moreover, it is not difficult to see 
that the last rule applied in 3 is 

yj^F p^w, ltF:p^t\ 

either with i e {1, 2) or —. 

pF ^ ' pF 

For the first alternative, w.l.o.g, we assume i = 1. Thus 5 contains a proper 
subtree 3i with the root labelled with wiF. Clearly, there exists a nonempty set 
N C {0, 1, 2 • • • ri} such that wi is a conjunction of pi with i ^ N. For |A^| —tuple 
Pik- with i ^ N, hy IH, there exists a nonempty set K C N C {0, 1, 2 • • - n} such 
that 5Ji contains a node labelled with wF, where w is a conjunction of pik^ with 
i & K, as desired. 

For the second alternative, it follows from 3i < n{mi > 0) that p ^ s ^ p[ PikJ 
Pi] for some s. Thus 3 contains a proper subtree 9i with the root labelled with 
sF. Obviously, for some jo ^ "^^ and p^^ with ^ p^-^, , s is a conjunction of p^^^ 
and Pi with jo ^ i < n. Moreover, there exists a nonempty set N C {0, 1, 2 • • • mj^} 
such that Pj^ is a disjunction of pj^^i with i € N. In particular, Pj^kj^ = Pjoi for 
some I e N due to p -^^ s =^ p[ PikJ Pi]- Then, by IH, there exists a nonempty 

^''Notice that if mi = then pi = piQ. 
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set K C. {0, 1, 2 • • • n} such that Sii contains a node labelled with wF, where w is a 
conjunction oipiki with i G K. □ 

Now we are ready to show that pwq G F implies pvaq € -F by induction on 

inference. The lemma below contains four assertions which state the links between 
consistency of some processes in the transition system generated by pzuq and con- 
sistency of corresponding processes in the transition system generated by pvcjq. 

Lemma 7.4 Assume that u € F. Then 

(1) If u = pwq or « is a conjunction of pwq and a number of true then pwq € F. 

(2) If u is a conjunction of pA /\ \a] pwq and p, with i <n then 1 {pwq) e F 

aeAct 

for any conjunction t of p and Pi's. 

(3) If u is a conjunction of dpg^p^{a) and stable pi with a € A and i < n, then 
t (pwq) e F for any conjunction t of Pi's, where 7^ A C Act. 

(4) If M is a conjunction of pi with i < n, pwq and a number of true then 
{t Ap) Q {pwq) G F for any conjunction t of piS. 

Proof. Let S be any proof tree of uF. We will prove item (l)-(4) simultaneously 
by induction on the depth of 9. The argument splits into five cases based on the 
format of u. 

Case \ u = pwq. 

It is obvious that the last two inference steps in are 

qF, ipA A \a]pwq)F 

aeAct 

'np,q{¥m)F 

pwqF 

Thus q e F. Moreover, by IH about item (2) with n = 0, we also get pQi{pwq) G 
F. Then pwq <E F hy Lemma 3.3 (5). 

Case 2 u is a conjunction of pwq and Pi (= true) with i <n. 

In this situation, we may assume that u = Ui AU2. Since u the last rule 
applied in is 

y^.p u ^ w, <rF:u^r> 

either with i e {1,2} or ^. 

uF uF 

For the first alternative, w.l.o.g, wc assume i = 1. Since Ui € F, the process 
pwq must occur in ui. So, by IH about item (1), we have pwq € F, as desired. 
For the second alternative, since pwq A- q and pwq ^ pA /\ \a \ pwq, there 

aeAct 

exist two proper subtrees of 3 whose roots are labelled with viF and V2F respec- 
tively, where v\ (or, V2) is a conjunction of q ( respectively, pA /\ \a\ pwq) and 

aeAct 

Pi's. Then q & F hy Corollary 6.2(6). Moreover, by IH about item (2), Corollary 
6.2(6) and Theorem 5.2, we also get p (pwq) G F. Hence pwq G F. 

Case 3 u is a conjunction of pA /\ \a\ pwq and Pi with i < n. 

aeAct 



47 



Let t be any conjunction oi p and Pi's. It t E F then it immediately follows that 
t {pvjq) € F. In the following, we consider the nontrivial case where t ^ F. If it 
were true that s (pruq) S F for any s with t |s , we would have 1 {pwq) G F 
by Lemma 3.1(7), 3.3(6) and 3.8. Thus we assume that t \to and intend to 
prove to {p'^l) G F ■ Clearly, /\ \a \ pwq and there exist p* and Wi 

aeAct 

(i < n) with properties below: 

to is a conjunction of p* and Wi, p \p* and Pi \wi for each i < n. 

Then, by Lemma 7.1, there is a nonempty set F C {p*, w^, /\ \a] pwq : 

I < n} such that 3 contains a node labelled with wF , where u; is a conjunction 
of processes within F. Moreover, due to /\ \a\ pwq ^ F and to ^ F, we have 

a£Act 

A \a\ pwq £ T and F n {p*, : i < n} ^ 0. 

On the other hand, by Def. 6.3, for each a G Act, the process \a \ pwq is a 
disjunction of processes Sa with A C ^ci, where 



□ b.true if a ^ A 

beA 



( □ b.true)n\a.pwq otherwise 

beA-{a} 



In particular, by setting A = I{p*) for each a G Act, we get a tuple (5p«,prog(a 
with a G Act. Moreover, each process in F n {p* , Wi : i < n} may be regarded 
as a disjunction of itself. Thus, by Lemma 7.3, there exists a nonempty set 9 C 
(F n {p*,Wi : i < n}) U {Sp* ,p^{a) : a G Act} such that 3 contains a proper subtree 
3i with the root labelled with sF for some conjunction s of all processes in Q. Due 
to tQ ^ F, O must contain (5p*.prog(fl) for some a G Act. We distinguish two cases 
below. 

Case 3.1 C { Sp*^p^{a) : a G Act}. 

Then s is a conjunction of some processes with the format Sp* p^{a) . By Lemma 
7.2, Sji contains a proper subtree with the root labelled with rF, where either 
r = pwq or r is a conjunction of pwq and a number of true. So, by IH about 
item (1), we have pwq G F. Hence p (pwq) G -F by Lemma 3.3(5). Moreover, 
by Lemma 3.6 (2), it follows from p (pwq) 4> \p* (pwq) that p* (pwq) G F. 
Further, by Theorem 5.2 and to C/js p* , we get to {pwq) G F, as desired. 

Case 3.2 ^ { Sp'-^p^{a) : a G Act}. 

In such situation, Q D {p*,Wi : i < n} 7^ 0. Let ti be any conjunction of 
processes within 6 n {p*, Wi : i < n}. Then ti (pwq) G F due to IH about item 
(3)E1. Further, by Theorem 5.2 and to ^rs ti, we get to © (p^?) £ F. 

Case 4 u is a conjunction of stable processes pi and Spg^p^{a) with i < n and 
a G A 7^ 0. 



'^This follows from /\ \a] pzuq - 

a£Act 



/\ ^ F and Lemma 3.6 



"Notice that, due to to ^ _F, I{p*) = I{wi) for each i < n. Hence, for any i < n and a G Act, 
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Let t be any conjunction of Pi with i < n. Clearly, u = Ui A U2 for some Ui 
and ?i2. In the following, wc consider only the nontrivial case t ^ F. In such 
situation, it is obvious that all pi have the same ready set. Since u is stable and 
I{ui) = I{u2) = I{Pi) for each i < n, we may distinguish two cases based on the 
last rule applied in 3. 

uF 

Case 4.1-!— with i e {1,2}. 

uF 

W.l.o.g, we assume i = 1. Since t ^ F, 6pg^p^{a) occurs in m for some a & A. If 
wi also contains pi for some i <n then, by IH about item (3), we have ti © [pwq) e 
F, where ti is any conjunction of all pi occurring in ui. By t Ei?s ti and Theorem 
5.2, we have t © (pwq) t\ © {pwq). Then it follows from ti © {pwq) G F that 
t © (pwq) e -F, as desired. 

Next we consider another case where none of pi (i < n) occurs in ui. Then 
there exists a nonempty set B C A such that ui is a conjunction of SpQ^p^{a) with 
a G B. Thus, by Lemma 7.2, 5 contains a proper subtree with the root labelled 
with wF, where w is either pwq or a conjunction of pwq and a number of true. 
Hence pwq £ F due to IH about item (1). Further, by Lemma 3.3(5), we obtain 

q€ F and p © {pwq) € F. 

On the other hand, since ui is a conjunction of (5p„_p^(a) with a £ B, we 
must have /(po) 7^ 0, for otherwise a contradiction arises due to ui =rs A 

aeB 

Spo.wmi") = A ^ F. Let & be any action in I{po)- Since all pi have the same 

ready set and t is a conjunction of pj's, we have b € I{t) = I{t © {pwq)). In order 
to prove that t © {pwq) G F, hy Lemma 3.5, it is enough to show that v & F fov 

each V with t © {pwq) A- v. Let r be any target state of 6— labelled transitions from 

t © {pwq). Then r = ti A q ov r = {ti A p) G (pwq) for some ti with t \ ti. For 
the former, it follows from q € F that r <E F. For the latter, by Lemma 3.11(3) 
and Theorem 5.2, we have r = {ti A p) Q {pwq) I^rs P © {pwq), and hence r G F 
because of p © {pwq) G F. 

u A s, jrF : u A r| 

Case 4.2 i^— for some 6 G Act. 

uF 

Since w is a conjunction of pi and (5po,pro9(a) with i < n and a G A, we get 
6 e -^(pi) for each i < n. Thus 6 e /(f) = I{t © (ptug)). Analogous to Case 4.1, 
in order to prove that t {pwq) G F, it is cnoiigh to show that each 6— derivative 

of f © (pwq) is inconsistent. Let r be any process such that t © {pwq) -\ r. Then 

r = ti A q or r = {ti A p) Q {pwq) for some ti with f A- ti. In the following, we 
intend to prove that both ti A q and {ti Ap) Q {pwq) are inconsistent. 

We first prove that b G A. On the contrary, suppose that b ^ A. Hence 

<5po,prog(a) — > true for each a € A. Moreover, since A Pi =RS ^ ^ -F, by Lemma 

i<n 

3.5, A Pi A s for some s ^ F. Then a contradiction arises as s =iis f for some r 

i<n 

with M A- r. 

Since f — > fi, there exist Wi with — > for each i < n and ti is a conjunction 
of these Wi. Moreover, since b G A and m is a conjunction of pi and 6p„^p^{a) with 

i < n and a G ^, there is a process w such that u \ w and w is a conjunction of 
Wi with i < n, pwq and a number of frue. Thus 3 contains a proper subtree with 
the root labelled with wF. Hence {ti Ap) Q {pwq) G F due to IH about item (4). 
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On the other hand, since pwq A q, there exists v such that w ^ v and u is a 
conjunction of Wj with i < n, q and a number of true. So, by Lemma 3.6 (1), it 
follows from w ^ F that w G F. Moreover, by Corollary 6.2 (6) and the idempotent, 
commutative and associative laws of A, it is easy to see that v =iis ti A q. Hence 
hAqGF. 

Case 5 u is a conjunction of processes pi, pwq and tj (= true) with i < n and 
j < m. 

Let t be any conjunction of pi with i < n. Similarly, wc consider only the 
nontrivial case t A p ^ F, and assume that u = Ui A U2- Since w — >■, we may 
distinguish two cases based on the last rule applied in 

u ^ s, IrF : u ^ r> 

Case 5.1 ^ 

uF 

Since pwq pA /\ \a \ pwq, there exists w such that u w and w is a 

aeAct 

conjunction ofpi, pA /\ \a \ pwq and tj with i < n and j < m. So, 9 contains a 

aeAct 

proper subtree with the root labelled with wF. Let v be any conjunction of pi, p and 
tj with i < n and j < m. Then v (pwq) e by IH about item (2). On the other 
hand, by Corollary 6.2 (6) and the idempotent, commutative and associative laws 
of A, we have t Ap =bs v. Further, by Theorem 5.2, it follows from v {pwq) G F 
that (i Ap) (pwq) G F. 

uF 

Case 5.2 with i e {1,2}. 
uF 

W.l.o.g, we assume i = 1. Since t Ap ^ F, pwq must occur in ui. We consider 
two cases below. 

If Pi does not occur in ui for each i < n, then ui is a conjunction of pwq and 
a number of true. Thus pwq e F by applying IH about item (1). So, by Lemma 
3.3(5), we have pQ {pwq) G F. On the other hand, by Theorem 5.2(2), it follows 
from t Ap Qrs V that {t Ap) Q {pwq) ^rs P& {p'^q) ■ Hence {t Ap) Q {pwq) G F. 

If there exist some pi occurring in Ui, then {ti Ap) {pwq) G F by IH about item 
(4), where ti is any conjimction of all pi occurring in ui. Similarly, by Theorem 
5.2(2) and t Ap Qrs h A p, it follows that {tAp)Q {pwq) G F. □ 

The preceding result guarantees that a series of processes are consistent under 
certain circumstance. We will encounter such processes and circumstance in the 
next lemma, which will be used in demonstrating the main result of this section. 

Lemma 7.5 Suppose that v "Qrs pwq and the relation R exactly consists of all 
pairs <t,w A{ f\ 6w^p^{a)) > such that there exist n < co, Pi,Vi, Uj and Uj with 

aeAct 

i <n and j <n — 1 satisfying the conditions below 

(a) p 4>F bo and v 4>_f \va , 

(6) for each i with < i < n — 1, Vi bi+i , Pi -^f Ui and Ui Ap \Pi+i , 
(c) for each i with < i < n, Vi \Z piQ {pwq) and Vi Q, and 

{d) t = Vn and w = Pn- 

Then R[j d is a stable ready simulation relation up to C 
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Proof. Let < r, s A ( /\ 6s,p^{a)) > be any pair in R. Thus there exist pi, Vi, 

aeAct 

ttj and Uj with i < n and j < n — 1 satisfying the conditions (a)- (d). In particular, 

r = Vn and s = pn- Wc intend to check that this pair satisfies four conditions in 
Def 4.1. Amongst, it is straightforward for (RSI) and (RS4). Moreover, due to 
Vn d Pn® {pvoq) and Vn ^ F, we have p„ © [pvoq) ^ F. Then, by Lemma 7.4 

(3), it follows that 

Pn A ( A 5p^,pm{,a)) ^ F. (7.5.1) 

a^Act 

Hence (RS2) holds. Next we verify (RS3-upto). Let r(= «„) 4>ir |w„+i . Since 
V pwq and v ^ F.hj Lemma 7.4(1), it follows that pwq ^ F. Then, due to 
b € I{vn) = I{Pn {p^q}) = I{pn), WC have, for any a G Aci, 

true a a^b 
5p^,pmi.<^) -^F \ ■ (7.5.2) 

pwq if a = 6 

To complete the proof, we want to find t such that p,i A ( /\ '5p„,prog(Q')) =^-F |^ 
and {vn+i,t) € (i?U C )o C . We distinguish two cases below. 

Case 1 u„+i Cfls q. 

Due to w„ IZ Pn {P'^q) and Lemma 5.1 (1), we have w„ c p„. Further, we 

~RS ~RS 

get Vn+i C p„ for some p , Un with Pn Un 4>ir p . On the other hand, it 

"^RS 

follows from Vn+i ^rs q that Vn+i □ qi for some gi with q \qi ■ By Lemma 
3.11(2), since Vn+i C J3„ and Vn+i C 9i, we obtain 

Un+l C Pn/\Qi- (7.5.3) 

Hence p„ A gi ^ F because of Vn+i ^ F. Further, by Lemma 3.6 (2) and 3.1(8), 
it follows that 



Un A pwq -^F Un A q 



Pn Aqi 



By (7.5.2), Lemma 3.2(2), Corollary 6.2(6) and the idempotent, commutative 
and associative laws of A, we obtain 

Pn A ( A <5p„,pwg(a)) -^F u =Rs u„ A pwq for some u. 

aeAct 

Hence there exists t such that 

Pn A ( A '5pn,prog(a)) u ^F \t and p^ A gi C 

Further, by (7.5.3), we have Vn+i C p„ A gi C t. Thus the process t is 
exactly the one that we seek. 



Case 2 i;„+i %rs q- 
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Since ?;„ C p„ (p^q) and Vn \vn+i , there exists u such that Vn+i C u 

~RS '^RS 

and p„ {pwq) \u- Further, due to Vn+i %rs 9> it is not difficult to see that 



there exist Pn+i, Un, p and p„ such that 



b e 
Pn ->F Un =>F 



p , Pn+1 = Pn A p , and 



Pn (p^q) {un Ap)Q (p-cuq) 4>f \Pn+i {P^q) = U. 
Then it follows that 

< i;„+i,p„+i A ( A 5p^^^,imq{a)) >& R. (7.5.4) 

On the other hand, by Lemma 3.2 (2), Corollary 6.2(6) and the idempotent, 
commutative and associative laws of A, it follows from (7.5.2) that there exists t 
such that 

Pn^ilK 5p„,pwq{a)) A t =Rs Un A pwq. (7.5.5) 
Moreover, it is obvious that 

UnApwq^ p'nA{pA A ^p„+i,p^(a)) »iJSPn+i A ( A '^p„+i,p^(a))- 

a^Act a&Act 

By Lemma 7.4 (3), it follows from Pn+i (p^q) ^ F that 
p„+iA( A ^P„+i,P^(«)) ^P- 

a^Act 

Hence p„ A {p A f\ 5p^^^,p^{0')) ^ -F- Thus, by Lemma 3.6 (2), we have 



aeAct 



Un A pwq F 



Pn^{P^ A ^p„+i,p^(a)) • 



a^Act 

So, it follows from (7.5.1) and (7.5.5) that there exists w such that 

PnA{ /\ (5p„,p^(o)) Af t 4>F \w and A ( A ^p„., ,p^(a)) 'J"- 

aeAct aeAct ~ -RS 

Moreover, due to (7.5.4), we get G (-RU C )o c , as desired. □ 

'^RS '^RS 

We now have the below assertion of the equivalence of pwq and pwq. 
Theorem 7.1 pwq =iis P'^q for any process p and q. 

Proof. Since pwq =rs ilp^qipwq), by Theorem 6.2, it is enough to prove that 
pwq 'Qrs pwq. To this end, we intend to show that v ^rs pwq for any v such that 

V Qrs pwq. Assume that v Qns pwq and u 4>f |^^o • Then pwq ^ F. By Lemma 
7.4(1), we have pwq ^ F. In the following, we want to find s such that pwq \s 
and vq IZ s. In the situation that vq ^rs 9) this is straightforward. We next 

^RS 

consider the case where vq %rs q. In such case, it follows from v Qrs pwq and 

V ^F \vo that vq C poQ){pwq) for some po such that p^F \po- Hence, by Lemma 

7.4 (3), we have po A{ A ^po,prog(«)) ^ F. Then, by the rule (Ra^) and Lemma 

a^Act 



3.6(2), it follows that pwq 4>f 



Po A ( A '5po,prog(a)) • Moreover, by Lemma 7.5, 
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we also have uo C poA( /\ (5p(, ,^^9 (a))- Thus the process po A ( /\ Sp^^-p^ia)) 

^ RS a£Act aeAct 

is indeed the one that we need. □ 

It is obvious that the temporal operator always can also be handled in the 
recursive manner. Formally, we have the result below. 



Corollary 7.1 Up =rs pzu-L for any process p. 
Proof. Immediately follows from Corollary 6.2(4) and Theorem 7.1. □ 

Hitherto this paper has provided two approaches to dealing with the temporal 

modal operator unless in pure process algebraic style. One approach is to introduce 
the operators w and ©, and provide SOS rules to describe their behavior. The other 
is to define constants pwq in terms of rjp^q. The latter resorts to only usual rules 

about recursion, but depends on the finiteness of Act as the definition of r/p ^ refers 
to the process having the format /\ [a] p, which can not be generalized smoothly 

aeAcl 

to the situation involving infinitely many actions (see. Remark 6.1). 

8 Connections between CLLT and ACTL 

As mentioned in Section 1, the links between process algebras and (modal) logics 
have been of concern in the literature. Amongst, Pnueli points out that [54], given 
a logic language and a process algebra, interesting connections between them at 
least include (see. Section 1): 

• Hennessy-Milner-style characterization 

• expressivity of the logic language w.r.t the process algebra 

• expressivity of the process algebra w.r.t the logic language 

This section will study the links between two specification formalisms, namely 
CLLT and a fragment of ACTL[49], from these three angles. Following [44], the 
fragment of ACTL considered in this section, denoted by £, consists of all formulas 
generated by BNF below 

(j) ::= tt en{a) \dis{a)\ (p V (f) A (f>\ [a](/) jDc^j (f)W(l), where a € Act. 

As noticed by Liittgen and Vogler, £ contains essentially the safety properties of 
the universal fragment of ACTL [44]. The satisfaction relation p \= (p, to be read 
as "the process p satisfies the formula 0" , is given as follows. 

Definition 8.1([44]) The satisfaction relation |= C T{T,cllt) x £ is defined 
inductively by: 



p\=tt 








p\=ff 


iff 


p&F. 




p \= en{a) 


iff 


ypo{p 4>F jpo 


^ e /(po))- 


p \= dis{a) 


iff 


Vpo(P \P0 


^ a ^ /(po)). 


p\= (j)\J 


iff 


Vpo(p=^F bo 


Po 1= or po (= </9) 
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p\= (pA(p iff Vpo(p =>F \po =^ Po\= <P and po \= if). 



p \= [a](p iff Vpo, Pi{p =5>F bo \pi pi\= (p). 

£ Act Act 

p\=D^ iff ypo,Pl, -PkiP =>F \P0 =>F \Pl ■■■ =^F\Pk =^ Pk\= 4>)- 

(E Act Act \ 

P^F\p,^F\p.-..=^F\Pk \ 

Two simple results immediately follows from the above definition: 

Lemma 8.1 For any p e T^cllt) and € f , j) |= </> if and only if Vpo(f> Ipo 
=^ Po 1= '?^)- particular, p |= whenever p G F. 

Proof. Easily by induction on (p. □ 

Lemma 8.2 If p q then g |= ^ implies p |= for each cj) & L 

Proof. Straightforward by induction on <j). □ 

The converse of Lemma 8.2 can be proved in the standard manner. Hence we 
can get a Hennessy-Milner-style characterization of EflS- In fact, to obtain such 
characterization, a fragment of t is enough [44]. 

As argued by Pnueli, Hennessy-Milncr-stylc characterization presents only the 
weakest requirement of compatibility between a process calculus and a logic [54]. 
The remainder of this section will devote itself to explore stronger associations 
between {T{Y^cllt), ^rs) and {i, \=). Firstly, we consider the expressivity of 
{T{J^cllt), Eijs) w.r.t {£, )=). The starting point of our discussion is the notion of 
a characteristic process. 

Definition 8.2 Given a formula (f> E £, a process G T{Y,cllt) is said to be 
a characteristic process for if Vp G T{T,cllt){p \= (p ^ p EflS t(j,). Moreover, 
(T(Scllt), Efis) is said to be expressive w.r.t {(., \=) if there exists a translation 
function from (. to T{T,cllt) which associates each formula (p € £ with a charac- 
teristic process in syntactic manner. 

Intuitively, the characteristic process represents the most loose process that 
realizes (p. If such exists, verifying the validity of an assertion p \= (p may be 
reduced to the implementation verification of p ^rs t<t>- It can be showed without 
any difficulty that, for any (p, it has at most one characteristic process modulo =_rs- 
In the following, a function [•] : £ — ^ T{T,cllt) is provided, which associates each 
formula (p € i with a characteristic process [4>] . 

Definition 8.3 The translation function [•] : £ — ^ T{T,cllt) is defined by 
[ff] = ± [tt] = true [<PA^] = [cP]A[^] V <^] = [<^] V [^] 

[en(o)] = V ( □ b.true) [dis{a)] = V ( □ b.true) 

aeACAct beA a^ACAct beA 

[[a]cp] = \a] [cP] [DcP] = [</.] [<PW^] = [cP] w [p] 

The above definition is motivated by Liittgen and Vogler's construction. In the 
framework of LLTS, they have given the method of embedding of formulas (in I) 
into LLTS [44]. 
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Lemma 8.3 If p Qrs Pi for some i G {1,2} then p Qrs Pi V P2- Moreover, the 
converse also holds whenever p is stable. 

Proof. Straightforward. □ 

Notice that the assumption that p is stable is necessary for the converse impli- 
cation in the above. For instance, a.O V 6.0 Qrs i-0 V 6.0 but neither a.O V 6.0 Qrs 
a.Q nor a.O V 6.0 Qrs 6.0. Next we intend to show that, given a (p G £, [cp] indeed 
is the characteristic process of cp, which, as the most important result in [44] , have 
been obtained by Liittgen and Vogler in the framework of LLTS. 

Lemma 8.4 For any p G £, [(p] is the characteristic process of ip. 

Proof. It is enough to prove that, p \= ip if and only if p i—Rs ['^] for any 
p e T{Y,cllt) and ip G L This can be proved by induction on p. Here we do not 
present them in full detail but handle three cases as samples. In particular, for the 
case where p has one of formats [a](^, and (j)\W(j)2, the proof is straightforward 
by applying Theorem 6.1, 4.1 and 5.1 respectively. 

• ip = tt 

The implication from right to left follows trivially from Definition 8.1. For the 
converse implication, it suffices to prove p ^rs true. Let p \po- Clearly, 
true I □ a.true, moreover, we also have po C □ a.true by Lemma 

aeI{po) ~RSaeIipo) 

6.1. 

• ip = en{a) 

(Left implies Right) Let p \po- Then it follows from p j= en(a) that a G 

I{po)- Thus [en(a)] = V ( □ b.true) 4>f | □ b.true. Moreover, by 

aeAQAct bGA beI(po) 

Lemma 6.1, p„ C □ b.true. 

~RSbeI{po) 

(Right implies Left) Let p ^f \po- It sufhces to show that a G I{po)- Since 
P Ei?5 [en(a)] = V ( n b.true), we get po CI □ b.true for some Aq with 

aeACAct beA ~RSbeAo 

a G Aq. Then, due to po ^ F, we have I{po) — I{ O b.true) = Aq. Hence 

beAo 

a G I{po). 

• (yj = ^1 V 02 

p 1= 01 V (/i2 

Vpo(p 4>F \P0 ^ Po\= (f'l or Po 1= 02) 

^ Vpo(p 4>F |po Po Efls [0i] or Po Cijs [02]) (by IH) 

^ Vpo(p =>f \po => Po ^Rs [0i] V [02]) (by Lemma 8.3) 

^ V?>o(p ^f \pa =^ Po Qrs [01 V 02] ) 

[01 V02]. □ 

As usual, for any formula and p, p is said to be a logic consequence of 0, in 
symbols ^ if for any process p, p\^ (p implies p\= p. Moreover, and pi are 
said to be logic equivalent ii (j) \= p and p \= 4>. As an immediate consequence of 
the above theorem, we have the result below. 
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Corollary 8.1 For any formula (j) and ip in I, 

(1) M h ^■ 

(2) 1= if and only if [0] 1=^5 [ip\. 

Proof. (1) immediately follows from [(f\ Qr,s [0] and Lemma 8.4. (2) follows 
from (1), the transitivity of ^rs and Lemma 8.4. □ 

Moreover, since the function [•]:£—>■ T{T:cllt) is given in syntactic manner, 
we have the result below. 

Theorem 8.1 {T{^cllt), Qrs) is expressive w.r.t {£, \=). 

We next deal with another stronger connection between CLLT and {£, |=), which 
involves the fragment T{T,cllt)~ of TCScllt) defined below. 

Definition 8.4 T{'Ecllt)~ consists of processes generated by BNF below, 
where A C Act and a G Act. 

p ::= I _L I true \ a.p \ p'V p \ p Ap \ □ b.true \ ^p \ pwp \ ( □ b.true)U\a.p 

In the following, we intend to prove that \=) is expressive w.r.t {T{J^cllt)~ , 
^Rs)- Analogous to [54], such notion is defined formally as follows. 

Definition 8.5 (£, \=) is said to be expressive w.r.t {T{T,cllt)~ i Efls) if for 
any process p in T{T,cllt)~ there exists a formula (jjp in £ such that 

(El) G T{Y.cllt){ qQRSP^q\=<l>p), and 
(E2) Vip G e{p \= ip ^ (Pp \= if). 



Obviously, given a process p, (j)p (if it exists) is a characteristic formula for p 
due to (El), moreover, it is the strongest logic formula (p in £ such that p \= (j) due 
to (E2). In order to prove that {£, \=) is expressive w.r.t {T{T,cllt)~ , Efls)) we 
will introduce the hmction * below, and show that it is exactly the lower adjoint 
of the function [•] and associates each process p G T{TtCLLT)~ with a characteristic 
formula p* . 

Definition 8.6 The translation function * : T{Yjcllt)~ ^ ^ is defined induc- 
tively by 

_L*= // true* = tt {a.p)* = en{a) A [a]p*A /\ dis{b) 

a^beAct 

0* = A (iis{a) ( □ b.true)* = ( f\ en{b)) A ( A dis{a)) 

aGAct b£A f,GA aeAct-A 

{pAq)*^p*Aq* {p W q)* = p* \/ q* (Ip)* = Dp* (pzuq)* = p*Wq* 
( □ b.trueOa.p)* = ( □ b.true)* A [a]p* 

a^beA beAU{a} 

Lemma 8.5 p ^rs q if and only if p \= q* for any p G T{TtcLLT) and q G 
TCScllt)' ■ 
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Proof. Clearly, it holds trivially whenever p G F. In the following, we consider 
the nontrivial case p ^ F, and proceed by induction on q. 

• q = l. 

It follows from p ^ F that p %rs -L and p^ ff ■ Hence p Qrs -L P H //• 

• q = true 

Immediately follows from p Qrs true and p \= tt for each p . 

• q = 

P Efls 

^ Wpoip 4>F \po ^ liPo) = 0)- 

Vpo(p =^F \po ^ Va G Act(a ^ I{po)) ) (due to po 7^ ) 

<^ Vpo(p =§'F |po Va G ^ct(po H dis{a) )) 
<s=> Vpo(p 4>ir \po Po h A c^*s(a) ) 

P h A dis{a) (by Lemma 8.1) 

• 5 = □ h.true 
P EflS □ b.true 

bGA 

ypoip \po ^ AC I{po) and {Act - A) n I{po) = 0) 
^ ^Poip =^F bo ^ Po\= A 6*^(0) and po h A dis{b)) 

aeA b£Act-A 

^\/pa{p bo Po h A en(a) A A dis{h)) 

aeA bzAct-A 

^ p\= f\ en{a)A /\ dis{b) (by Lemma 8.1) 

aeA beAct-A 

• q = a.qi 

P ^RS a.qi 

<^ Vpo{p 4>F bo Po C a.g'i) 

(*) ^ / £ , / a G 7(po) and V6 G Act{a ^h^h^ I{po)) 
\ \ and Vpi(po bi ^ Pi E-RS <?i) 

/ ^ / po ^ en(a) and po 1= A dis{b)) \\ 

^ Vpo P 4>F bo „ a^bSAct 

V \ and Vpi(po |pi ^Pi h 9i) // 
/ / po ^ en(a) and po 1= A dis{b)) \\ 

^ Vpo P =»F bo =^ a^beAct 

V V and po ^ [a]^^) // 
Vpo I p 4>F bo ^ I Po H e"(«) A A A c^^s(6) ) ) 

\ \ a^beAct J J 

^ p\= en{a) A [a]qlA A dis{b) (by Lemma 8.1) 

a^beAct 

(J|t) For the implication from right to left, we need to show that a.qi ^ F under 
the assumption p bo- By Lemma 3.8 and 3.5, it follows from po ^ F and 
a e I{pa) that po ^f bi foi" some pi. Hence pi ^rs qi- Then qi ^ F because of 
pi ^ F. Thus a.(?i ^ F by Lemma 3.3(2). 

• g = tei or qi'!Ziq2 
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Immediately follows from Theorem 4.1, 5.1 and IH. 



P Qrs qi A q2 

4^ Vpoip 4>F bo = 

^Vpo{p 4>F \P0 = 

-^ypoip \po = 

Vpo(P \P0 = 

^ Vpo(P 4>ir Ipo = 

^P\= (91 A 92)*. 



Po Qrs qi A Q'2) 

Po Efls 91 and Po Ei?5 52) 

po h 9i and po \= ^2) 

po N ql A 92) 

Po H (91 A 92)* ) 



(by Lemma 3.11) 
(by IH) 



(by Lemma 8.1) 



(by Lemma 8.3) 
(by IH) 



(by Lemma 8.1) 



• q=qiVq2 
P Ers 91 V 92 

^ ypo{p \po ^ Po Ers 91 Vg'2) 

Vpo(p Ipo ^ Po Ers 9i or po Ers 92) 
<^ Vpo(p 4>F Ipo =^Po\=qt or Po H 92) 
<^ Vpo(p 4>F Ipo Po H 9t V g^) 
^ Vpo(p ^F Ipo Po H (91 V 92)* ) 
^P N (91 Vgz)*- 

• 9 = □ fe.trweDa.g'i 
P Ers □ b.trueOa.qi 

<^Vpo(p=5>F Ipo ^ Po C □ b.trueUa.qi ) 

^■^^ Vpo(p ^F Ipo ^(Po) = A\j{a} and V pi(po ^f |pi Pi Ers 9i)) 
<^ Vpo(p ^F Ipo =^ Po C □ b.true and Vpi(po =^f |pi Pi h 9i)) 

~RS6GAu{a} 

<^ Vpo(p ^F Ipo =^ Po h ( □ b.true)* and po |= [ajg^) 

&eAu{a} 

<^ p 1= ( □ b.true)* h[a]ql 

beAU{a} 

(i|k) For the implication from right to left, it is required to verify □ b.true\2a.qi 

a^beA 

^ F under the assumption p |Po • Clearly, it suffices to prove that qi ^ F, which 
can be proved analogously to (♦). □ 



As an immediate consequence of the above result, we have 



Corollary 8.2 For any process p and q in T{T,cllt) , 

(1) p^p* 

(2) p Ers 9 if and only if p* \= q* . 



Proof. (1) immediately follows from p Qrs P and Lemma 8.5. (2) follows from 
(1), the transitivity of Ers and Lemma 8.5. □ 



In order to prove that {£, \=) is expressive w.r.t {T{^cllt)~ , Ers)j the only 
point remaining concerns (E2), that is, p ^ 1^ iff \= ip for any p G T(Y,cllt)~ and 
£ £. Before proving it, let we recall the well-known notion of a Galois connection 
between two preordered sets. 
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Definition 8.7 A Galois connection between two preordered sets {A, and 
{B, :<b) is a pair of function F : B A and G : A ^ B satisfying that, for any 
X € B and y £ A, F{x) :<a y if and only if x <b G{y). 

It is well known that (F, G) is a Galois connection if and only if F and G are 
monotonic and satisfy the cancellation laws below (see for instance [6]) 

(Gl) X GiF{x)) for all x G B, and 
(G2) F{G{y)) y for all y € A. 

Using Lemma 8.4, it is easy to see that (E2) holds if and only if the pair (*, [•]) 
is a Galois connection between preordered sets {£, \=) and {T{T,cllt)~ , Eijs)- 
Next we shall prove the latter. 

Theorem 8.2 (Galois connection) The pair of functions * : TCEcllt)' — > ^ 
and [•] : ^ ^ T{T,cllt)~ is a Galois connection between preordered sets {£, \=) 
and {T{T.cLLTy , Qrs)- That is, p* |= if and only if p Qrs [(!>] for any p G 
T{Y.cllt)- and 4> & I. 

Proof. By Definition 8.3, 8.4 and 6.3, it is easy to check that [</>] G T{J^cllt)~ 
for any (j) €z i. Thus the function [•] may be regarded as a function from £ to 
T{^cllt)~ ■ On the other hand, by Corollary 8.1 and 8.2, both the function * and 
[•] are monotonic. Thus it suffices to prove that cancellation laws (CI) and (C2) 
hold. 

For (CI), suppose p e T{T.cLLTy. By Corollary 8.2, wc got p ^ P* ■ Then 
P Qrs [p*] by Lemma 8.4. Hence (CI) holds. 

For (C2), let c6 e ^. Wc intend to prove that [0]* |= 4>. Let (7 be any process 
such that <7 1= [0] . To complete the proof, it is enough to verify that q \= <p. By 
Corollary 8.1, we obtain ^ ((>. Moreover, by Lemma 8.5, it follows from q \= [0]* 
that q [</>]. Hence g |= ^ by Lemma 8.2, as desired. □ 

Roughly speaking, the above theorem says that the function * is exactly the 
lower adjoint of the function [•]. That is, for each process p G T{T,cllt)~ , P* is the 
strongest logic formula ^ in such that p C_rs [0], dually, the function [•] associates 
with each formula <p in i the most loose process p £ T{T,cllt)'' such that p* \= (j). 
As an immediate consequence of Theorem 8.2, we obtain the assertion below. 

Theorem 8.3 {£, \=) is expressive w.r.t {T{T,cllt)~ , ^rs)- 

Proof. Let p G T{Y,cllt)~ ■ It suffices to illustrate that p* satisfies (El) and 
(E2) in Definition 8.5. Clearly, (El) holds due to Lemma 8.5, and (E2) comes from 
Theorem 8.2 and Lemma 8.4. □ 

By the way, it is obvious that, for CLLT^, all results obtained in this section 
also hold by making a few slight modifications. 

9 Conclusions and future work 

This paper gives two distinct methods of representing the loosest (modulo Ei?s) 
implementations that realize logic specifications "always p" or "p unless g" in 
terms of algebraic expressions. One method is to introduce nonstandard process- 
algebraic operators ft, m, A and to capture Liittgen and Vogler's constructions in 
[44] directly. The other is to apply the greatest fixed-point characterization of w and 
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Lemma 8.4 



Implementation Verification 



^ Model Checking 




Lemma 8.5 



Corollary 8.1(2) 



Corollary 8.1(2) 



Lemma 8.5 



Validity Problem within i 



Figure 1: connections between distinct verification activities 

obtained in this paper (see, Theorem 6.2 and Corollary 6.3) and provide graphical 
representing of temporal operators always and unless in a recursive manner. The 
latter is independent of Liittgen and Vogler's constructions, and its advantage lies 
in the fact that it makes no appeal to any nonstandard operational operators, but 
it depends on the mild assumption that Act is finite. In a word, this paper not only 
lifts Liittgen and Vogler's work in [44] to a pure process algebraic setting but also 
provides another more succinct method to realize their intention. 

This work brings the process calculuses CLLT in which usual operational opera- 
tors (prefix, external choice and parallel operator) , logic connectives (conjunction 
and disjunction) and standard temporal operators (always and unless) may be 
freely mixed without any restriction, and compositional reasoning is admitted. Such 
calculus allows one to capture desired operational behavior and describe intended 
safety properties in the same framework. Moreover, the links between CLLT and 
the fragment £ of ACTL are explored from angles suggested by Pnueli in [54] . These 
links reveal that there exist intimate relationships among distinct verification ac- 
tivities including model checking, implementation verification and validity problem 
within i. We summarize the reductions among these verification activities in Fig.l, 
where dashed lines are used to indicate that the process term involved in the cor- 
responding reduction is required to be in T(^cllt)' ■ 

In the literature, various work on combining operational operators with logic 
operators have been reported [33, 41, 50]. Oldcrog provides a framework in which 
operational operators may be combined with trace formula [50]. But such frame- 
work does not allow one to freely mix operational and logic specifications. Guerra 
and Costa enrich a simple process algebra with a modal operator which can express 
some livcness property [33]. However, due to adopting trace semantics, this system 
is not deadlock-sensitive, and hence it is inadequate in the situation where concur- 
rency is involved. In [41]. based on the notion of modal LTS, Larsen et al. consider 
the operator conjunction over independent processes and obtain the result analo- 
gous to Lemma 3.11. Moreover, in such framework, it is shown that conjunction 
may distribiitc over parallel composition. However, an algebraic theory of mixing 
operational and logic operators is not considered in [41]. There also exist investiga- 
tions of operational behavior involving logic ingredient but without admitting the 
free mixing of operational and logic operators, see, e.g., [7, 22]. 

We conclude this paper with giving several possible avenues for further work. 
Firstly, finding a complete proof system for CLLT would be the next task. Secondly, 
although this paper provides recursive constants to represent the "loosest" imple- 
mentations realizing logic specifications "always p'' or "p unless q'\ no attempt 
has made here to develop general theory concerning recursion for LLTS and a few 
fundamental problems are still open. For instance, whether Cijg is precongruent 
in the presence of (nested) recursive operator? Under usual conditions (see, e.g.. 
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[45]), whether equations containing (nested) recursive operator stiU have a unique 
solution? Notice that, since LLTS involve consideration of inconsistencies, the an- 
swers for these questions can not be triviahy inferred from existent resuhs in the 
literature. Thirdly, it would also be interesting to develop a general view of the 
connections between process algebras and modal logics. We leave these further 
developments for further work. 
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